{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 32 more): Same pattern found in 32 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.", "shortDescription": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar`", "shortDescription": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,705 bytes) committed to a repo that otherwise has 623 source files. Trojan binaries inside otherwi"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `gradle/wrapper-validation-action` pinned to mutable ref `@v2`: `uses: gradle/wrapper-validation-actio", "shortDescription": {"text": "[MINED115] Action `gradle/wrapper-validation-action` pinned to mutable ref `@v2`: `uses: gradle/wrapper-validation-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/ch"}, "fullDescription": {"text": "Replace with: `uses: gradle/wrapper-validation-action@<40-char-sha>  # v2` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1347"}, "properties": {"repository": "armin-reichert/pacman-javafx", "repoUrl": "https://github.com/armin-reichert/pacman-javafx", "branch": "main"}, "results": [{"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137611, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb98cf2e89b3596ea66fa2b9071249e5348a908658793756237a631b29aa8465", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-core/src/main/java/de/amr/pacmanfx/model/actors/Ghost.java", "duplicate_line": 102, "correlation_key": "fp|fb98cf2e89b3596ea66fa2b9071249e5348a908658793756237a631b29aa8465"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-core/src/main/java/de/amr/pacmanfx/model/actors/MovingActor.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137610, "scanner": "repobility-ai-code-hygiene", "fingerprint": "153a4cbee56c187fda080a25bf3e43524f1a65528ff9ba16277cbaa46ba93de8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/scenes/Arcade_PlayScene2DGameEventHandler.java", "duplicate_line": 14, "correlation_key": "fp|153a4cbee56c187fda080a25bf3e43524f1a65528ff9ba16277cbaa46ba93de8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/scenes/TengenMsPacMan_PlayScene2DGameEventHandler.java"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137609, "scanner": "repobility-ai-code-hygiene", "fingerprint": "285d229a94ddd2d9d5571b407dcf629f92ecc44915b6809b4a54005ebbcd5a3a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/scenes/TengenMsPacMan_CutScene2.java", "duplicate_line": 30, "correlation_key": "fp|285d229a94ddd2d9d5571b407dcf629f92ecc44915b6809b4a54005ebbcd5a3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/scenes/TengenMsPacMan_CutScene3.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137608, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25a7bb95b978a2322df1c8c56eeb799c98cc36fbca20116c9b11aab06cbbe91c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/scenes/ArcadeMsPacMan_CutScene1.java", "duplicate_line": 31, "correlation_key": "fp|25a7bb95b978a2322df1c8c56eeb799c98cc36fbca20116c9b11aab06cbbe91c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/scenes/TengenMsPacMan_CutScene1.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137607, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17c1b771fbe269c7dec2c2c6ba8c4f97eedbfd472e628613140c5718551e82a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/rendering/ArcadeMsPacMan_SpriteSheet.java", "duplicate_line": 87, "correlation_key": "fp|17c1b771fbe269c7dec2c2c6ba8c4f97eedbfd472e628613140c5718551e82a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/rendering/TengenMsPacMan_SpriteSheet.java"}, "region": {"startLine": 212}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137606, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e99cbaa0a2ed33b65996cfbd97bb7d6bed4115a982f9bc65957505ec9d26cf0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/rendering/ArcadePacMan_SpriteSheet.java", "duplicate_line": 90, "correlation_key": "fp|7e99cbaa0a2ed33b65996cfbd97bb7d6bed4115a982f9bc65957505ec9d26cf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/rendering/TengenMsPacMan_SpriteSheet.java"}, "region": {"startLine": 211}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137605, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b588247aed2796471e6292e0c9483b8159e1e687c6d357f9f80dc7b4577fe597", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/model/ArcadePacMan_GameRules.java", "duplicate_line": 31, "correlation_key": "fp|b588247aed2796471e6292e0c9483b8159e1e687c6d357f9f80dc7b4577fe597"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/model/TengenMsPacMan_GameRules.java"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137604, "scanner": "repobility-ai-code-hygiene", "fingerprint": "81e1ef57f9567f1651916bb0db7ad22a3859d75df0954ab95f3c5106e4da3261", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/model/ArcadePacMan_GameModel.java", "duplicate_line": 142, "correlation_key": "fp|81e1ef57f9567f1651916bb0db7ad22a3859d75df0954ab95f3c5106e4da3261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/model/TengenMsPacMan_GameModel.java"}, "region": {"startLine": 333}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137603, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd621f24a6090f50e9eebff6c5a4d08be445abcea1dfd4343821301b5cea963e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/model/ArcadeMsPacMan_GameModel.java", "duplicate_line": 145, "correlation_key": "fp|dd621f24a6090f50e9eebff6c5a4d08be445abcea1dfd4343821301b5cea963e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/model/TengenMsPacMan_GameModel.java"}, "region": {"startLine": 253}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137602, "scanner": "repobility-ai-code-hygiene", "fingerprint": "015eb8c1e6e85c65fa47cb9a95ae8ebf2b0c109cec1b6e8d084d3f393968be1f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/model/Arcade_GameModel.java", "duplicate_line": 77, "correlation_key": "fp|015eb8c1e6e85c65fa47cb9a95ae8ebf2b0c109cec1b6e8d084d3f393968be1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/model/TengenMsPacMan_GameModel.java"}, "region": {"startLine": 183}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137601, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69f44c96cb12e43b30d5202d1428f8289a6976627c07ec889f00ac3e587cf397", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/flow/Arcade_GameState.java", "duplicate_line": 51, "correlation_key": "fp|69f44c96cb12e43b30d5202d1428f8289a6976627c07ec889f00ac3e587cf397"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/flow/TengenMsPacMan_GameState.java"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137600, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2bd59f3b08f529f2740b9fc12bd0475e9b508e7ccbc0db11df04700a65476969", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/ArcadeMsPacMan_Factory3D.java", "duplicate_line": 12, "correlation_key": "fp|2bd59f3b08f529f2740b9fc12bd0475e9b508e7ccbc0db11df04700a65476969"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/TengenMsPacMan_Factory3D.java"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137599, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7feb30804415fd9e34cb1e748816e46d74decee763712020c4b60c994eb978e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/ArcadePacMan_UIConfig.java", "duplicate_line": 220, "correlation_key": "fp|7feb30804415fd9e34cb1e748816e46d74decee763712020c4b60c994eb978e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/pacman/PacManXXL_PacMan_UIConfig.java"}, "region": {"startLine": 194}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137598, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa5a688523797461eea5fca6939496fb204e0b1b9c5888f432453f77d6d44e95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/ArcadeMsPacMan_UIConfig.java", "duplicate_line": 155, "correlation_key": "fp|fa5a688523797461eea5fca6939496fb204e0b1b9c5888f432453f77d6d44e95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/pacman/PacManXXL_PacMan_UIConfig.java"}, "region": {"startLine": 167}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137597, "scanner": "repobility-ai-code-hygiene", "fingerprint": "50c80bb04364b98922d7baf29969cceeb82e8c4a3bbbde73beafa86f96b9de75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/ms_pacman/PacManXXL_MsPacMan_UIConfig.java", "duplicate_line": 56, "correlation_key": "fp|50c80bb04364b98922d7baf29969cceeb82e8c4a3bbbde73beafa86f96b9de75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/pacman/PacManXXL_PacMan_UIConfig.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137596, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d7fb86c2866903e1a7f9a9485ede6abe285aac051ab11d67b972acb36445c9a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/ArcadeMsPacMan_GameSceneConfig.java", "duplicate_line": 34, "correlation_key": "fp|d7fb86c2866903e1a7f9a9485ede6abe285aac051ab11d67b972acb36445c9a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/pacman/PacManXXL_PacMan_GameSceneConfig.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137595, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7b65d3f90249fcad862aa6f6cd8b4c59a5532c7e2a0ea72769351d0a1abdbd1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/ArcadePacMan_GameSceneConfig.java", "duplicate_line": 21, "correlation_key": "fp|a7b65d3f90249fcad862aa6f6cd8b4c59a5532c7e2a0ea72769351d0a1abdbd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/pacman/PacManXXL_PacMan_GameSceneConfig.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137594, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96071d800fcc99aaa09a3390487cd612a66efbad9cff2af6e75157485ab532c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/ms_pacman/PacManXXL_MsPacMan_GameModel.java", "duplicate_line": 17, "correlation_key": "fp|96071d800fcc99aaa09a3390487cd612a66efbad9cff2af6e75157485ab532c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/pacman/PacManXXL_PacMan_GameModel.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137593, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1db78414fffbb28013a57295990ab838c844231d547a53c695850004b8f602ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/ms_pacman/PacManXXL_MsPacMan_GameLevelRenderer.java", "duplicate_line": 14, "correlation_key": "fp|1db78414fffbb28013a57295990ab838c844231d547a53c695850004b8f602ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/pacman/PacManXXL_PacMan_GameLevelRenderer.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137592, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed5481e3883d45da78c875a4a5017dd7c3af91b00e2fa524ca2f70b2fd30dedb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/ArcadePacMan_UIConfig.java", "duplicate_line": 251, "correlation_key": "fp|ed5481e3883d45da78c875a4a5017dd7c3af91b00e2fa524ca2f70b2fd30dedb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/ms_pacman/PacManXXL_MsPacMan_UIConfig.java"}, "region": {"startLine": 210}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137591, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe4208e2026a154a4f470d97710768a19d8f2115719a8de60f4fac50374ca423", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/ArcadeMsPacMan_UIConfig.java", "duplicate_line": 154, "correlation_key": "fp|fe4208e2026a154a4f470d97710768a19d8f2115719a8de60f4fac50374ca423"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/ms_pacman/PacManXXL_MsPacMan_UIConfig.java"}, "region": {"startLine": 204}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137590, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bddd986b303cc37f0540e68b8ca4ffc84424502bf138db07897a19a9e9688063", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/ArcadeMsPacMan_GameSceneConfig.java", "duplicate_line": 24, "correlation_key": "fp|bddd986b303cc37f0540e68b8ca4ffc84424502bf138db07897a19a9e9688063"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/ms_pacman/PacManXXL_MsPacMan_GameSceneConfig.java"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137589, "scanner": "repobility-ai-code-hygiene", "fingerprint": "49a4142bed91d423e8a98129b52c8d9eebfb3717e0e69a8e91a1ff7b02729db2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/scenes/ArcadePacMan_CutScene1.java", "duplicate_line": 19, "correlation_key": "fp|49a4142bed91d423e8a98129b52c8d9eebfb3717e0e69a8e91a1ff7b02729db2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/scenes/ArcadePacMan_CutScene3.java"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137588, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e6e16d2ff8e224b9f641fd67e27d17f04396948b6650c5d0b5f4100a8c1a74a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/rendering/SpriteID.java", "duplicate_line": 16, "correlation_key": "fp|3e6e16d2ff8e224b9f641fd67e27d17f04396948b6650c5d0b5f4100a8c1a74a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/rendering/SpriteID.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137587, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a4a8015b8ca17304384c95fea9ec9adab6db91afbf8816cbff37cd027040c9f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/rendering/ArcadeMsPacMan_SpriteSheet.java", "duplicate_line": 87, "correlation_key": "fp|a4a8015b8ca17304384c95fea9ec9adab6db91afbf8816cbff37cd027040c9f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/rendering/ArcadePacMan_SpriteSheet.java"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137586, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5f0ca74c71fd30f73ae5a3340bc948207a9e4fe8452f0c534cb34c449386a65", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/rendering/ArcadeMsPacMan_HeadsUpDisplayRenderer.java", "duplicate_line": 29, "correlation_key": "fp|b5f0ca74c71fd30f73ae5a3340bc948207a9e4fe8452f0c534cb34c449386a65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/rendering/ArcadePacMan_HeadsUpDisplay_Renderer.java"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137585, "scanner": "repobility-ai-code-hygiene", "fingerprint": "395290e7978192d916c2706b2b93f67e964a3848fb3ab51d13219a7af2f3c23f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/rendering/ArcadeMsPacMan_ActorRenderer.java", "duplicate_line": 30, "correlation_key": "fp|395290e7978192d916c2706b2b93f67e964a3848fb3ab51d13219a7af2f3c23f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/rendering/ArcadePacMan_ActorRenderer.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137584, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9be95e0714ff5d53d9c6e537379da2fe864d52b91f36050ede319ece270ac326", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/model/ArcadeMsPacMan_LevelCounter.java", "duplicate_line": 8, "correlation_key": "fp|9be95e0714ff5d53d9c6e537379da2fe864d52b91f36050ede319ece270ac326"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/model/ArcadePacMan_LevelCounter.java"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137583, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d43a4ab43f4375023ed55f24f31ea3407753b67a01171718686ad6aa14b044c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/ArcadeMsPacMan_GameSceneConfig.java", "duplicate_line": 34, "correlation_key": "fp|d43a4ab43f4375023ed55f24f31ea3407753b67a01171718686ad6aa14b044c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/ArcadePacMan_GameSceneConfig.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137582, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e77740678cd7fbdc4e8138d699366c0c97f55e69a6e19dcec844e194267eed5f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "objparser/src/main/java/de/amr/objparser/ObjFileParser.java", "duplicate_line": 84, "correlation_key": "fp|e77740678cd7fbdc4e8138d699366c0c97f55e69a6e19dcec844e194267eed5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "objparser/src/main/java/de/amr/objparser/ObjMtlFileParser.java"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 137580, "scanner": "repobility-threat-engine", "fingerprint": "231c5872f4afe3b8815aca0e946043d371566e9718e502b5d8ae3bd62f7497e1", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"mazeImage=\" + mapImage\n            + \", flashingMazeImages=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|231c5872f4afe3b8815aca0e946043d371566e9718e502b5d8ae3bd62f7497e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/rendering/MapImageSet.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 137579, "scanner": "repobility-threat-engine", "fingerprint": "b4ccc3cc17b2f951549b363f8dbc071adcb6dcb1ab3a60e91e5dd6a3bae1a855", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Phase index \" + phaseIndex + \" is invalid\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b4ccc3cc17b2f951549b363f8dbc071adcb6dcb1ab3a60e91e5dd6a3bae1a855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-tengen-mspacman/src/main/java/de/amr/pacmanfx/tengenmspacman/model/TengenMsPacMan_GameRules.java"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 137578, "scanner": "repobility-threat-engine", "fingerprint": "63786bae20ed9e96b965828bb1f5400b0cb586a46f10c8c0fe019cd4559f5676", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Phase index \" + phaseIndex + \" is invalid\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|63786bae20ed9e96b965828bb1f5400b0cb586a46f10c8c0fe019cd4559f5676"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/model/ArcadeMsPacMan_GameRules.java"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 137581, "scanner": "repobility-threat-engine", "fingerprint": "0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 137577, "scanner": "repobility-threat-engine", "fingerprint": "649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "properties": {"repobilityId": 137573, "scanner": "repobility-threat-engine", "fingerprint": "62000d257fb045d0b197c75562c02a591e1fa59e97f0c2640bf74e1047aa2ced", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|62000d257fb045d0b197c75562c02a591e1fa59e97f0c2640bf74e1047aa2ced"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 137569, "scanner": "repobility-threat-engine", "fingerprint": "7185ff98a12218241fe4ffa6900fcfe17d4a6f45ecc6ca3098925f0f141294b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7185ff98a12218241fe4ffa6900fcfe17d4a6f45ecc6ca3098925f0f141294b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "basics/src/main/java/de/amr/basics/filesystem/DirectoryWatchdog.java"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,705 bytes) committed to a repo that otherwise has 623 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 137635, "scanner": "repobility-supply-chain", "fingerprint": "9e211589da6f216ba4b5af8d363d1d924534ce05a7fe7265d68abf6094748092", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e211589da6f216ba4b5af8d363d1d924534ce05a7fe7265d68abf6094748092"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/wrapper-validation-action` pinned to mutable ref `@v2`: `uses: gradle/wrapper-validation-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137634, "scanner": "repobility-supply-chain", "fingerprint": "a18b53cf09a01d97ccc1d1c2b64c541a3a4c3a4353c47e3e262140a713637ebe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a18b53cf09a01d97ccc1d1c2b64c541a3a4c3a4353c47e3e262140a713637ebe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137633, "scanner": "repobility-supply-chain", "fingerprint": "1e6f527246eccbd851e84ba0846127f23d0e3f4fcf244fb144c334ed63e53e83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e6f527246eccbd851e84ba0846127f23d0e3f4fcf244fb144c334ed63e53e83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137632, "scanner": "repobility-supply-chain", "fingerprint": "a11dfa82b7fe2ca3a9ad75bb13d18073fde0a131c22f71d493d874d92e13a583", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a11dfa82b7fe2ca3a9ad75bb13d18073fde0a131c22f71d493d874d92e13a583"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v1`: `uses: softprops/action-gh-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137631, "scanner": "repobility-supply-chain", "fingerprint": "6693b83b46f0beddcfcc33c8ccfdc0d3dd995ae6d3dff5f1719bc362fa5150d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6693b83b46f0beddcfcc33c8ccfdc0d3dd995ae6d3dff5f1719bc362fa5150d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137630, "scanner": "repobility-supply-chain", "fingerprint": "18710ba6e4a5d2116a819ea5d6758480c9f4079947d9a747285fb39ae5506ea0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18710ba6e4a5d2116a819ea5d6758480c9f4079947d9a747285fb39ae5506ea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137629, "scanner": "repobility-supply-chain", "fingerprint": "f911500c70695ca656d5c0120ac378422a6638328eb86b83151d958cf570ce18", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f911500c70695ca656d5c0120ac378422a6638328eb86b83151d958cf570ce18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137628, "scanner": "repobility-supply-chain", "fingerprint": "b4b35fda1c00bdd8dd8d81a9da6bb8d33da6b6467e0640afdcc625928f252705", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4b35fda1c00bdd8dd8d81a9da6bb8d33da6b6467e0640afdcc625928f252705"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137627, "scanner": "repobility-supply-chain", "fingerprint": "781bfa9451234fdcb85394f1da516c7765bc49ab9e3ff9d902cdacefd7faef00", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|781bfa9451234fdcb85394f1da516c7765bc49ab9e3ff9d902cdacefd7faef00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137626, "scanner": "repobility-supply-chain", "fingerprint": "d8c36ad83555082d8da2dab09158fc8fe99a61640a67fa681da4185c8d8fc899", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d8c36ad83555082d8da2dab09158fc8fe99a61640a67fa681da4185c8d8fc899"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137625, "scanner": "repobility-supply-chain", "fingerprint": "0a0f3155e4dca9c140f39de9387d5a1a2693906216248f797f5e0ac957c86826", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a0f3155e4dca9c140f39de9387d5a1a2693906216248f797f5e0ac957c86826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/wrapper-validation-action` pinned to mutable ref `@v2`: `uses: gradle/wrapper-validation-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137624, "scanner": "repobility-supply-chain", "fingerprint": "cda3cc54176e8a95f392c139d578c3b57fd02883d5dc75d5abc3f0c141711b20", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cda3cc54176e8a95f392c139d578c3b57fd02883d5dc75d5abc3f0c141711b20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137623, "scanner": "repobility-supply-chain", "fingerprint": "e651a83f76704d01eaa9f10104932825fba8fe6ea3507f7b4a7c650333ffd796", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e651a83f76704d01eaa9f10104932825fba8fe6ea3507f7b4a7c650333ffd796"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137622, "scanner": "repobility-supply-chain", "fingerprint": "f90b479af9564c05d28d5430e20e9633d35b674b181e2b36b5c89333288539fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f90b479af9564c05d28d5430e20e9633d35b674b181e2b36b5c89333288539fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-arcade-pacman.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v1`: `uses: softprops/action-gh-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137621, "scanner": "repobility-supply-chain", "fingerprint": "06784cbfd32149c2663a092555bdfffd60130f48f8a12116d41417b86edb6807", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06784cbfd32149c2663a092555bdfffd60130f48f8a12116d41417b86edb6807"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137620, "scanner": "repobility-supply-chain", "fingerprint": "cf8f18799e2f7fa3c69fb65472c032d3ff15a5a471b7d80c24867c3ff02cba21", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf8f18799e2f7fa3c69fb65472c032d3ff15a5a471b7d80c24867c3ff02cba21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137619, "scanner": "repobility-supply-chain", "fingerprint": "e8a376498d591c7bad9016128e756e294372feb06b99f0ecd876346aa8b4947d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8a376498d591c7bad9016128e756e294372feb06b99f0ecd876346aa8b4947d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137618, "scanner": "repobility-supply-chain", "fingerprint": "a23ff1e176a67baf70c366136defb87e26fa36fd01c729be278c07f8f7f69f31", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a23ff1e176a67baf70c366136defb87e26fa36fd01c729be278c07f8f7f69f31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137617, "scanner": "repobility-supply-chain", "fingerprint": "c417fae385bdee0a48b5bbf3fb5139db65cd97254a6074b4bbc28654c50cb79d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c417fae385bdee0a48b5bbf3fb5139db65cd97254a6074b4bbc28654c50cb79d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137616, "scanner": "repobility-supply-chain", "fingerprint": "a550a838418188e451a32bec165287d32ccb2fdc1b15155177c53fba5b5eaf9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a550a838418188e451a32bec165287d32ccb2fdc1b15155177c53fba5b5eaf9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137615, "scanner": "repobility-supply-chain", "fingerprint": "3e63bb4cc09131df53ce1e73d55c9f6666d34a4cf2c935aa2b8fa6c5c1809132", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e63bb4cc09131df53ce1e73d55c9f6666d34a4cf2c935aa2b8fa6c5c1809132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/wrapper-validation-action` pinned to mutable ref `@v2`: `uses: gradle/wrapper-validation-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137614, "scanner": "repobility-supply-chain", "fingerprint": "79baa4b637e830066bac74238e49f2fa799baf3348a62b058311b1aab33d6143", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79baa4b637e830066bac74238e49f2fa799baf3348a62b058311b1aab33d6143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137613, "scanner": "repobility-supply-chain", "fingerprint": "bf413a1269b0ac0c61c28749698ff0e489cabe928a89ab8c3f4272e9b89c0f7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf413a1269b0ac0c61c28749698ff0e489cabe928a89ab8c3f4272e9b89c0f7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137612, "scanner": "repobility-supply-chain", "fingerprint": "902e12f978e08794d3785d83c7e90204241564f377635ce0d5b6e01bdd3d33ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|902e12f978e08794d3785d83c7e90204241564f377635ce0d5b6e01bdd3d33ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-installer-allgames.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137576, "scanner": "repobility-threat-engine", "fingerprint": "bf29565b3a9e4d51c264ae69d1e87ece115b5fdff39d940ef0d193570bd7c414", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf29565b3a9e4d51c264ae69d1e87ece115b5fdff39d940ef0d193570bd7c414"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacmanxxl/src/main/java/de/amr/pacmanfx/arcade/pacman_xxl/common/PacManXXL_MapSelector.java"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137575, "scanner": "repobility-threat-engine", "fingerprint": "d6cc40e644677e774f962754c068fca520629293ded7e091dcb37559ca429b44", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d6cc40e644677e774f962754c068fca520629293ded7e091dcb37559ca429b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-pacman/src/main/java/de/amr/pacmanfx/arcade/pacman/model/ArcadePacMan_MapSelector.java"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137574, "scanner": "repobility-threat-engine", "fingerprint": "21cf117ffa39cad2ccf0295f692ce5d7ef2e676f06e82a0300d05a5899526bf8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21cf117ffa39cad2ccf0295f692ce5d7ef2e676f06e82a0300d05a5899526bf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "objparser/src/main/java/de/amr/objparser/ObjModel.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 137572, "scanner": "repobility-threat-engine", "fingerprint": "3c58bdedafed420ca7246eaae7ed8c17bfc50e9fbc997ac6fd1ad09359acec22", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sceneController.update();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3c58bdedafed420ca7246eaae7ed8c17bfc50e9fbc997ac6fd1ad09359acec22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/scenes/ArcadeMsPacMan_IntroScene.java"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 137571, "scanner": "repobility-threat-engine", "fingerprint": "50eadffac1c9687bd58d3d64bccbe1e62c16817db5039a44817a5551fdf46f8f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ctx.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|50eadffac1c9687bd58d3d64bccbe1e62c16817db5039a44817a5551fdf46f8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacman-app-arcade-mspacman/src/main/java/de/amr/pacmanfx/arcade/ms_pacman/rendering/ArcadeMsPacMan_GameLevelRenderer.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 137570, "scanner": "repobility-threat-engine", "fingerprint": "d670f1771942b9a026ef9861b56b54a318543296aabe52f39f0b3a6bb256398b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "animation.update(now);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d670f1771942b9a026ef9861b56b54a318543296aabe52f39f0b3a6bb256398b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "basics/src/main/java/de/amr/basics/spriteanim/SpriteAnimationSet.java"}, "region": {"startLine": 55}}}]}]}]}