{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC086", "name": "[SEC086] JS: bidirectional Unicode (Trojan Source): Bidirectional Unicode override chars in source \u2014 Trojan Source attac", "shortDescription": {"text": "[SEC086] JS: bidirectional Unicode (Trojan Source): Bidirectional Unicode override chars in source \u2014 Trojan Source attack (CVE-2021-42574). Ported from eslint-plugin-security detect-bidi-characters (Apache-2.0)."}, "fullDescription": {"text": "Remove the bidi chars or encode them explicitly. Use `cargo geiger`-style CI lint for new commits."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 216 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED123", "name": "Trojan Source bidi character (FSI) in source", "shortDescription": {"text": "Trojan Source bidi character (FSI) in source"}, "fullDescription": {"text": "Line 97 contains a Unicode bidirectional override character (U+2068 FSI). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1063"}, "properties": {"repository": "walt-app/walt-passes-android", "repoUrl": "https://github.com/walt-app/walt-passes-android", "branch": "main"}, "results": [{"ruleId": "SEC086", "level": "warning", "message": {"text": "[SEC086] JS: bidirectional Unicode (Trojan Source): Bidirectional Unicode override chars in source \u2014 Trojan Source attack (CVE-2021-42574). Ported from eslint-plugin-security detect-bidi-characters (Apache-2.0)."}, "properties": {"repobilityId": 104187, "scanner": "repobility-threat-engine", "fingerprint": "b48fd96e8dce519bc06e0a43ef055c2802a62b82a7e2188cf201d958f898a933", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\u2068", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC086", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b48fd96e8dce519bc06e0a43ef055c2802a62b82a7e2188cf201d958f898a933"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-ui-core/src/main/kotlin/is/walt/passes/ui/core/BidiIsolation.kt"}, "region": {"startLine": 27}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 104177, "scanner": "repobility-agent-runtime", "fingerprint": "c8b6fa3edba29a394adccedf583d931b674f4ad33552468b6bd731ae32fe9d00", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c8b6fa3edba29a394adccedf583d931b674f4ad33552468b6bd731ae32fe9d00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".beads/README.md"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104174, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c4889b2a1d967f9b09f1468cd551c197411422f6368ec473e80d33781e199d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "passes-storage/src/androidTest/kotlin/is/walt/passes/storage/CipherCompatReopenTest.kt", "duplicate_line": 63, "correlation_key": "fp|5c4889b2a1d967f9b09f1468cd551c197411422f6368ec473e80d33781e199d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-storage/src/androidTest/kotlin/is/walt/passes/storage/KeyUnavailableAcrossDataClearTest.kt"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104173, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd74e51537af1d64ccef496ada3f7a7783097536654a1cbd0ff36eb08571e8b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "passes-barcode/src/main/kotlin/is/walt/passes/barcode/android/DecodeWatchdog.kt", "duplicate_line": 8, "correlation_key": "fp|cd74e51537af1d64ccef496ada3f7a7783097536654a1cbd0ff36eb08571e8b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-pdf/src/main/kotlin/is/walt/passes/pdf/android/RenderWatchdog.kt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 104188, "scanner": "repobility-threat-engine", "fingerprint": "4752d5161e334da522e09e8865a08b48a7cd22b9fce25355c94e1ec70803c736", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4752d5161e334da522e09e8865a08b48a7cd22b9fce25355c94e1ec70803c736"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-ui/src/main/kotlin/is/walt/passes/ui/FieldLinkScanner.kt"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 104181, "scanner": "repobility-threat-engine", "fingerprint": "1ab24bd4307ac28d8fe949cb2ba0d619298592370da5c4874409946d0caac342", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1ab24bd4307ac28d8fe949cb2ba0d619298592370da5c4874409946d0caac342"}}}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 104186, "scanner": "repobility-threat-engine", "fingerprint": "643772c328fc384dd74ebbd37199079588b4202681920a41c2182efe61cfb078", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "db.delete()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|643772c328fc384dd74ebbd37199079588b4202681920a41c2182efe61cfb078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-storage/src/androidTest/kotlin/is/walt/passes/storage/KeyUnavailableAcrossDataClearTest.kt"}, "region": {"startLine": 183}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 104185, "scanner": "repobility-threat-engine", "fingerprint": "c9a885260fe9ecc3af7cd866330f97a34f9923a55c86d9a131c8e87db16ab2b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "db.delete()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9a885260fe9ecc3af7cd866330f97a34f9923a55c86d9a131c8e87db16ab2b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-storage/src/androidTest/kotlin/is/walt/passes/storage/CipherCompatReopenTest.kt"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 104184, "scanner": "repobility-threat-engine", "fingerprint": "061f33eecd209f59cb72260065b42d46fcbefb5aafa408aed9a9ae5c739e03e1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n                s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|061f33eecd209f59cb72260065b42d46fcbefb5aafa408aed9a9ae5c739e03e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-ui/src/main/kotlin/is/walt/passes/ui/BarcodeCreateConfirmSheetPreviews.kt"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 104183, "scanner": "repobility-threat-engine", "fingerprint": "1a5b9610dce07107d4e2834cd2d0e6f186f500489be151cf6662c2be85707fe4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a5b9610dce07107d4e2834cd2d0e6f186f500489be151cf6662c2be85707fe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-core/src/main/kotlin/is/walt/passes/core/QrPayloadKind.kt"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 104182, "scanner": "repobility-threat-engine", "fingerprint": "3fb54c3c94c75a7909d810cfa49e5258d44a6506c03c6e6c1db5f24aeeb03cee", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3fb54c3c94c75a7909d810cfa49e5258d44a6506c03c6e6c1db5f24aeeb03cee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-core/src/main/kotlin/is/walt/passes/core/QrPayloadClassifier.kt"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 104176, "scanner": "repobility-supply-chain", "fingerprint": "e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 104180, "scanner": "repobility-threat-engine", "fingerprint": "254eb7d164c3d65014d5fddf144d7bee293d875b35e59b334484932dee92ec37", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(maxSize", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|254eb7d164c3d65014d5fddf144d7bee293d875b35e59b334484932dee92ec37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-pdf-ui/src/main/kotlin/is/walt/passes/pdf/ui/internal/RenderedPageCache.kt"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 104179, "scanner": "repobility-threat-engine", "fingerprint": "2ba59de5436103589b0a3ff9bad22fcf4e15253a69754fea4172e6fb031028f0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(width", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ba59de5436103589b0a3ff9bad22fcf4e15253a69754fea4172e6fb031028f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-core/src/main/kotlin/is/walt/passes/core/BarcodeMatrix.kt"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 104178, "scanner": "repobility-threat-engine", "fingerprint": "1fa1298c14fd7a41ee971d2cdbbbdc39800fbd2db548ff1ed3acadd10b7ccea4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(width", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1fa1298c14fd7a41ee971d2cdbbbdc39800fbd2db548ff1ed3acadd10b7ccea4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-barcode-core/src/main/kotlin/is/walt/passes/barcode/YPlaneFrameDecode.kt"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED123", "level": "error", "message": {"text": "Trojan Source bidi character (FSI) in source"}, "properties": {"repobilityId": 104175, "scanner": "repobility-supply-chain", "fingerprint": "195a2f648a729ab766731f2bb2893cc3b95cf5347f39d4647f40b3b7bdb2910b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 24 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|token", "duplicate_count": 24, "duplicate_rule_ids": ["MINED123"], "duplicate_scanners": ["repobility-supply-chain"], "duplicate_fingerprints": ["001806580f1cb6d26fb8e41a5319385591975f4b90bb089d4a167e7bc07020c9", "0b2c5f4207546a880e6bf532015956b75acb8281b01d59a2e83a122b88831947", "162f3ed84829656c9073e60408669c9b966970819a9af7a8379b0b2efbaa361a", "195a2f648a729ab766731f2bb2893cc3b95cf5347f39d4647f40b3b7bdb2910b", "34d639c64270e739b147929db19e97093ddc78e95bdb5672bf493dfded721371", "422c8b73eeeb874585a77154dc677e78ed2da98720de61b1f3f66f41b3311be7", "42fd65f9ab8665b64ef312aab6750f3586e706b0fce97e91467d2fd3bd0b2f9b", "4356fab8db8ae3ce279752429cf6dae62671ecb45d8265efce781df475ee673b", "533dd38cd45ee2ee8c8a6b7a3ea995b5a9a3d6e647c92e8e62ae80eccd627da7", "588c896024ea108499c831300a4c1c2c304f9bbff4d51ab473b01f884a8f4ea6", "5c89a96c73ddba281b9fff5243b10c9321e0d6a50f1e86bdcf67ba8f7bb0bec2", "5dc6d981612e9057e5e9ac170eadc9e90b4373332b15069afd0272e91692ad9c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "passes-pdf-ui/src/test/kotlin/is/walt/passes/pdf/ui/DocumentTrustSurfaceTest.kt"}, "region": {"startLine": 97}}}]}]}]}