{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-pq67-6m6q-mj2v", "name": "urllib3: GHSA-pq67-6m6q-mj2v", "shortDescription": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "fullDescription": {"text": "urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-48p4-8xcf-vxj5", "name": "urllib3: GHSA-48p4-8xcf-vxj5", "shortDescription": {"text": "urllib3: GHSA-48p4-8xcf-vxj5"}, "fullDescription": {"text": "urllib3 does not control redirects in browsers and Node.js"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mf9w-mj56-hr94", "name": "python-dotenv: GHSA-mf9w-mj56-hr94", "shortDescription": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "fullDescription": {"text": "python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-68rp-wp8r-4726", "name": "flask: GHSA-68rp-wp8r-4726", "shortDescription": {"text": "flask: GHSA-68rp-wp8r-4726"}, "fullDescription": {"text": "Flask session does not add `Vary: Cookie` header when accessed in some ways"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `shop_items` has cognitive complexity 9 (SonarSource scale). Cognitive com", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `shop_items` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `Flask` is minor version(s) behind (3.0.3 -> 3.1.3)", "shortDescription": {"text": "Python package `Flask` is minor version(s) behind (3.0.3 -> 3.1.3)"}, "fullDescription": {"text": "`Flask==3.0.3` is minor version(s) behind the latest stable release on PyPI (3.1.3). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-gm62-xv2j-4w53", "name": "urllib3: GHSA-gm62-xv2j-4w53", "shortDescription": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "fullDescription": {"text": "urllib3 allows an unbounded number of links in the decompression chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38jv-5279-wg99", "name": "urllib3: GHSA-38jv-5279-wg99", "shortDescription": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "fullDescription": {"text": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2xpw-w6gg-jr37", "name": "urllib3: GHSA-2xpw-w6gg-jr37", "shortDescription": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "fullDescription": {"text": "urllib3 streaming API improperly handles highly compressed data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.", "shortDescription": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1018"}, "properties": {"repository": "indmdev/Free-Telegram-Store-Bot", "repoUrl": "https://github.com/indmdev/Free-Telegram-Store-Bot", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 95527, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 95525, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Flask"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-pq67-6m6q-mj2v", "level": "warning", "message": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "properties": {"repobilityId": 95524, "scanner": "osv-scanner", "fingerprint": "163bdff65c3ce10f9a93a9866aca7dc5f2158119544e441758bb1e189063007d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-50181"], "package": "urllib3", "rule_id": "GHSA-pq67-6m6q-mj2v", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-50181|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48p4-8xcf-vxj5", "level": "warning", "message": {"text": "urllib3: GHSA-48p4-8xcf-vxj5"}, "properties": {"repobilityId": 95522, "scanner": "osv-scanner", "fingerprint": "7c8080ffeb27fda397394b938e43374c1e5bde665fb671a60de1a482e26e06ed", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-50182"], "package": "urllib3", "rule_id": "GHSA-48p4-8xcf-vxj5", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-50182|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mf9w-mj56-hr94", "level": "warning", "message": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "properties": {"repobilityId": 95518, "scanner": "osv-scanner", "fingerprint": "030c6ea3936499659ed910925462b9058f7115cecd98afed139ec104f4c2978a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-28684"], "package": "python-dotenv", "rule_id": "GHSA-mf9w-mj56-hr94", "scanner": "osv-scanner", "correlation_key": "vuln|python-dotenv|CVE-2026-28684|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 95514, "scanner": "repobility-threat-engine", "fingerprint": "4ca1153ba111388a8889a4b4e9f81fa1210428463ae7df06a5b60524fd762c94", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n            return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4ca1153ba111388a8889a4b4e9f81fa1210428463ae7df06a5b60524fd762c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "purchase.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95506, "scanner": "repobility-ast-engine", "fingerprint": "54b0602e0b9db1fd1c08268a8037433ef8a8dc9aaeda6456244195e57d976a73", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|54b0602e0b9db1fd1c08268a8037433ef8a8dc9aaeda6456244195e57d976a73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 1422}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95505, "scanner": "repobility-ast-engine", "fingerprint": "f1dd186b309439795e16e22b0cf9662c527eebe8c230181418101da146ddef6d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1dd186b309439795e16e22b0cf9662c527eebe8c230181418101da146ddef6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 1401}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95504, "scanner": "repobility-ast-engine", "fingerprint": "98c7f6f09dd6d01ba050141fdb5672eaf7cccaf0e7109e0a7efe68c9b8d0a0d1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98c7f6f09dd6d01ba050141fdb5672eaf7cccaf0e7109e0a7efe68c9b8d0a0d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 1211}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95503, "scanner": "repobility-ast-engine", "fingerprint": "2cbbc79e6d8a7f2f4c02bd1719d27d14d531acf936aef3e4acd0977ec658f9ca", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2cbbc79e6d8a7f2f4c02bd1719d27d14d531acf936aef3e4acd0977ec658f9ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 1028}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95502, "scanner": "repobility-ast-engine", "fingerprint": "50008780a70391e13d997a9a2bf46ea39253662f1641e4e388b278b8e9e330c4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|50008780a70391e13d997a9a2bf46ea39253662f1641e4e388b278b8e9e330c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 891}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95501, "scanner": "repobility-ast-engine", "fingerprint": "2caa9df04d4c409df4c7ac0e1eb79cf3bccd61dc6235120d24137982c0f3c572", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2caa9df04d4c409df4c7ac0e1eb79cf3bccd61dc6235120d24137982c0f3c572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 589}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95500, "scanner": "repobility-ast-engine", "fingerprint": "2e728dab3fc6d2ef35575a1cbfed5557815f05b406712539300368b85a49ad29", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e728dab3fc6d2ef35575a1cbfed5557815f05b406712539300368b85a49ad29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 507}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95499, "scanner": "repobility-ast-engine", "fingerprint": "7ff8ecaf0d73ad059491cdd6ad8bff897f58916ac89fd2bbd19545b5fcd12928", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ff8ecaf0d73ad059491cdd6ad8bff897f58916ac89fd2bbd19545b5fcd12928"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 409}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95498, "scanner": "repobility-ast-engine", "fingerprint": "09d30f74381730935fae92e40755e8eb7e57bed0fbeb6da527c9af52ca94e100", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09d30f74381730935fae92e40755e8eb7e57bed0fbeb6da527c9af52ca94e100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95497, "scanner": "repobility-ast-engine", "fingerprint": "a7ae3f6de3dcdf8e7ba22383023c02b0485e6d79558adb1b5aaf98795133ecd4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7ae3f6de3dcdf8e7ba22383023c02b0485e6d79558adb1b5aaf98795133ecd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95496, "scanner": "repobility-ast-engine", "fingerprint": "0b306a5c529ce099b4984bdef3098e80503be584cec9e6486611969337c17fdd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b306a5c529ce099b4984bdef3098e80503be584cec9e6486611969337c17fdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95495, "scanner": "repobility-ast-engine", "fingerprint": "27080cb831837c422c59f960c7fcbd74097bb23c6c24f7ec0051f4cf49721ab2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27080cb831837c422c59f960c7fcbd74097bb23c6c24f7ec0051f4cf49721ab2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95494, "scanner": "repobility-ast-engine", "fingerprint": "88df0f3a5d5a55b4743ae6e023205b7d243345ab17fcbb6dac3a06b59de4f716", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|88df0f3a5d5a55b4743ae6e023205b7d243345ab17fcbb6dac3a06b59de4f716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 1333}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95493, "scanner": "repobility-ast-engine", "fingerprint": "0f6b943011dd3ac763d435336638fab9f05c6a5d54fa72a067133b5b16e3e554", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0f6b943011dd3ac763d435336638fab9f05c6a5d54fa72a067133b5b16e3e554"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 1297}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95492, "scanner": "repobility-ast-engine", "fingerprint": "1431c187a0daec4ea0f08d7592c53704024e5221f0e9c7309b3bdd93aa1f8dfe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1431c187a0daec4ea0f08d7592c53704024e5221f0e9c7309b3bdd93aa1f8dfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 1266}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95491, "scanner": "repobility-ast-engine", "fingerprint": "f2ca114e3477c83249791f67d89e0b8c320cedfcf3c8d17226284ee471fcc34e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f2ca114e3477c83249791f67d89e0b8c320cedfcf3c8d17226284ee471fcc34e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 992}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95490, "scanner": "repobility-ast-engine", "fingerprint": "d1858bee1a381f0dd2c36306a8481efc77ace920d1463fbcf260714c0964c9cf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1858bee1a381f0dd2c36306a8481efc77ace920d1463fbcf260714c0964c9cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 960}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95489, "scanner": "repobility-ast-engine", "fingerprint": "e41323c980008deffae73f592924e266ba78e76782443ccde7d37d5a594ce17f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e41323c980008deffae73f592924e266ba78e76782443ccde7d37d5a594ce17f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 928}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95488, "scanner": "repobility-ast-engine", "fingerprint": "99bf8b430adcc083bd00fd2e5de7de7a9050efbc094fdf8c84a4e546d0e46693", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|99bf8b430adcc083bd00fd2e5de7de7a9050efbc094fdf8c84a4e546d0e46693"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 855}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95487, "scanner": "repobility-ast-engine", "fingerprint": "b75e91f476a8eeb4c09ffbdaa1e1036821d045e60812c7d905e218c9831ca2e8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b75e91f476a8eeb4c09ffbdaa1e1036821d045e60812c7d905e218c9831ca2e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 571}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95486, "scanner": "repobility-ast-engine", "fingerprint": "54ebc5f9ba74afb86bb6a3a0068834e30465b7a850de283715a5c426044b65a7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|54ebc5f9ba74afb86bb6a3a0068834e30465b7a850de283715a5c426044b65a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 543}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95485, "scanner": "repobility-ast-engine", "fingerprint": "f731b0ddf959fa5faadcc6a97a212120284995043889d47903f75c2393aa2095", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f731b0ddf959fa5faadcc6a97a212120284995043889d47903f75c2393aa2095"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store_main.py"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95484, "scanner": "repobility-ast-engine", "fingerprint": "bc010c894344fc597c17b696ff0d3dd786b710c7d4602b84c80b1783f5057ed5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc010c894344fc597c17b696ff0d3dd786b710c7d4602b84c80b1783f5057ed5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "purchase.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95483, "scanner": "repobility-ast-engine", "fingerprint": "888e38faabe00e0038818f3048b8a1b23245b56834e43d9e706361a1af090f45", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|888e38faabe00e0038818f3048b8a1b23245b56834e43d9e706361a1af090f45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "purchase.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 95482, "scanner": "repobility-ast-engine", "fingerprint": "6d7101a6de8ca9b9bafcec914d3443f90e0f43cbe8dd54d0776fb3695a2ff710", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d7101a6de8ca9b9bafcec914d3443f90e0f43cbe8dd54d0776fb3695a2ff710"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "InDMCategories.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 95481, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 95526, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Flask"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-68rp-wp8r-4726", "level": "note", "message": {"text": "flask: GHSA-68rp-wp8r-4726"}, "properties": {"repobilityId": 95517, "scanner": "osv-scanner", "fingerprint": "6fa4359b4fa21f39d4ac8d31d0e5887a2d953f4bbd02c8aa05aad1be371295a0", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27205"], "package": "flask", "rule_id": "GHSA-68rp-wp8r-4726", "scanner": "osv-scanner", "correlation_key": "vuln|flask|CVE-2026-27205|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `shop_items` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=3, if=1, nested_bonus=4."}, "properties": {"repobilityId": 95511, "scanner": "repobility-threat-engine", "fingerprint": "acc3caca72993764dae6f53b73a713c5acf2bb3f203e752164588338691ca1e7", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "shop_items", "breakdown": {"if": 1, "for": 3, "else": 1, "nested_bonus": 4}, "complexity": 9, "correlation_key": "fp|acc3caca72993764dae6f53b73a713c5acf2bb3f203e752164588338691ca1e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "purchase.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `get_category_products` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, for=2, if=3, nested_bonus=6."}, "properties": {"repobilityId": 95510, "scanner": "repobility-threat-engine", "fingerprint": "dd522ce46f521ccfc0a97cc0fdf5eda0b757c9a5a8552de278541a0ee2c3bcd5", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_category_products", "breakdown": {"if": 3, "for": 2, "else": 2, "nested_bonus": 6}, "complexity": 13, "correlation_key": "fp|dd522ce46f521ccfc0a97cc0fdf5eda0b757c9a5a8552de278541a0ee2c3bcd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "InDMCategories.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `Flask` is minor version(s) behind (3.0.3 -> 3.1.3)"}, "properties": {"repobilityId": 95509, "scanner": "repobility-dependency-currency", "fingerprint": "8fe54834457991469b1b2b62f20e658ba5ed33ced0caa2f4f1233b31cff980d5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "Flask", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.1.3", "correlation_key": "fp|8fe54834457991469b1b2b62f20e658ba5ed33ced0caa2f4f1233b31cff980d5", "current_version": "3.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `python-dotenv` is minor version(s) behind (1.0.1 -> 1.2.2)"}, "properties": {"repobilityId": 95508, "scanner": "repobility-dependency-currency", "fingerprint": "a3924ba3634c29480933724966ed1747a518e41f57e73a97a64e5ecc1778d2bb", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "python-dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.2.2", "correlation_key": "fp|a3924ba3634c29480933724966ed1747a518e41f57e73a97a64e5ecc1778d2bb", "current_version": "1.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `urllib3` is minor version(s) behind (2.2.3 -> 2.7.0)"}, "properties": {"repobilityId": 95507, "scanner": "repobility-dependency-currency", "fingerprint": "c39dfd885b7e2a63f8a766dd0608742022b2edcd72ee2f45fad29055b51ac848", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "urllib3", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.7.0", "correlation_key": "fp|c39dfd885b7e2a63f8a766dd0608742022b2edcd72ee2f45fad29055b51ac848", "current_version": "2.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 95516, "scanner": "repobility-threat-engine", "fingerprint": "7f959e6c87a4b0a3725ad80ca96e9eccfded96f672e41caa54a5ce8f1463c9bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f959e6c87a4b0a3725ad80ca96e9eccfded96f672e41caa54a5ce8f1463c9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "GHSA-gm62-xv2j-4w53", "level": "error", "message": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "properties": {"repobilityId": 95523, "scanner": "osv-scanner", "fingerprint": "c6179b31454e1888b1c1cb677d9a99fa3cc26aa20b5c461bc02cfa5532b4b7de", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66418"], "package": "urllib3", "rule_id": "GHSA-gm62-xv2j-4w53", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66418|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38jv-5279-wg99", "level": "error", "message": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "properties": {"repobilityId": 95521, "scanner": "osv-scanner", "fingerprint": "7efc812025ab761a376ad0e88be78a767b579da26a39959de36b3ff8586ddf87", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21441"], "package": "urllib3", "rule_id": "GHSA-38jv-5279-wg99", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-21441|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2xpw-w6gg-jr37", "level": "error", "message": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "properties": {"repobilityId": 95520, "scanner": "osv-scanner", "fingerprint": "3e8220a54bdfdded3281f2e83b5ce135568419305f3e1461f7898b0d265417c6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66471"], "package": "urllib3", "rule_id": "GHSA-2xpw-w6gg-jr37", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66471|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 95519, "scanner": "osv-scanner", "fingerprint": "c9782ea239ddf9652bd8aa66c5c6c4ebee4d2b704faaab015341940a64bb5ee3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8fea5709b1e04c1904accc4ad0dc76733fefc920773cbaba3c59a24994880532", "c9782ea239ddf9652bd8aa66c5c6c4ebee4d2b704faaab015341940a64bb5ee3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 95515, "scanner": "repobility-threat-engine", "fingerprint": "cc26e0b7693c83c527eeb8f1f8b4ce74aa882c14ae8ffcfbf59c444db825aad7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc26e0b7693c83c527eeb8f1f8b4ce74aa882c14ae8ffcfbf59c444db825aad7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 95513, "scanner": "repobility-threat-engine", "fingerprint": "a433f7007811b430881d963fc1ec1e7a53da375fe5da4e47a009da320663d767", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a433f7007811b430881d963fc1ec1e7a53da375fe5da4e47a009da320663d767"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 95512, "scanner": "repobility-threat-engine", "fingerprint": "a9bc2b1e0716b4bd532635d069b4d66dd163ca753f89ef9682be928416848a4d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a9bc2b1e0716b4bd532635d069b4d66dd163ca753f89ef9682be928416848a4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 95480, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}]}]}