{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: c.execute('SELECT * FROM t WHERE id = ?', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/476"}, "properties": {"repository": "DanOps-1/Gpt-Agreement-Payment", "repoUrl": "https://github.com/DanOps-1/Gpt-Agreement-Payment", "branch": "main"}, "results": [{"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 27669, "scanner": "repobility-threat-engine", "fingerprint": "4091e0cab21ca2ae1eabbc8f2e1e2713e68c1b02415850dd33cad718573db248", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|webui/backend/wa_relay.py|81|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/backend/wa_relay.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 27667, "scanner": "repobility-threat-engine", "fingerprint": "3f961e5ef9350c8471a1d5985d310880d155ebed004f43ab5316d0bb003fdb78", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.check_output(cmd, shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|ctf-reg/auth_flow.py|874|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-reg/auth_flow.py"}, "region": {"startLine": 874}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 27661, "scanner": "repobility-threat-engine", "fingerprint": "3764f67af13a6606b8b942cb0ab2c5d2ffcb57c06efc96ea0ee4bf10f9ff95c5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3764f67af13a6606b8b942cb0ab2c5d2ffcb57c06efc96ea0ee4bf10f9ff95c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-pay/hcaptcha_auto_solver.py"}, "region": {"startLine": 3042}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 27660, "scanner": "repobility-threat-engine", "fingerprint": "c120c8b76e48ad93eb8b05da066c0651938304b8398766c53ca9500934d88b7d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c120c8b76e48ad93eb8b05da066c0651938304b8398766c53ca9500934d88b7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-pay/gopay.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 27659, "scanner": "repobility-threat-engine", "fingerprint": "d50ab2a15893d4fadf394c19c3d479d01d02cdd641ffa08c5d5b4e2e7a54b6d3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d50ab2a15893d4fadf394c19c3d479d01d02cdd641ffa08c5d5b4e2e7a54b6d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-pay/card.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 27650, "scanner": "repobility-agent-runtime", "fingerprint": "ffdc7e97412bf9b3d0508419f5e1be009a26859b63849390390890e71e930ea2", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ffdc7e97412bf9b3d0508419f5e1be009a26859b63849390390890e71e930ea2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/frontend/src/views/Run.vue"}, "region": {"startLine": 575}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 27649, "scanner": "repobility-agent-runtime", "fingerprint": "056462f4d6d7600844b536b302a9fd0ef4ae3d7a2c81fc870f2c3279e6e88e42", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|056462f4d6d7600844b536b302a9fd0ef4ae3d7a2c81fc870f2c3279e6e88e42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-reg/auth_flow.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27648, "scanner": "repobility-ai-code-hygiene", "fingerprint": "04f3ce4759af9963fb5f67d5f54e410d643ad33e7f110544620c5cdbe9e00f0c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "webui/frontend/src/views/Login.vue", "duplicate_line": 25, "correlation_key": "fp|04f3ce4759af9963fb5f67d5f54e410d643ad33e7f110544620c5cdbe9e00f0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/frontend/src/views/Setup.vue"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27647, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17a88f2dc9e336916a12c89ca28a9422e1377f27993dcb550d21a3fa22e6383d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "webui/frontend/src/components/steps/Step05_Proxy.vue", "duplicate_line": 55, "correlation_key": "fp|17a88f2dc9e336916a12c89ca28a9422e1377f27993dcb550d21a3fa22e6383d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/frontend/src/components/steps/Step09_VLM.vue"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27646, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bf4e76928ee2ded2f3e1c0c48fa40a968ac365fc9e5d79a04c1af3da39e5775", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "webui/frontend/src/components/steps/Step05_Proxy.vue", "duplicate_line": 55, "correlation_key": "fp|0bf4e76928ee2ded2f3e1c0c48fa40a968ac365fc9e5d79a04c1af3da39e5775"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/frontend/src/components/steps/Step08_Captcha.vue"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 27666, "scanner": "repobility-threat-engine", "fingerprint": "019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 27665, "scanner": "repobility-threat-engine", "fingerprint": "be9a0baf11359ffee49b15547627f7183a28bcf5425df2863442f044ba723791", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warning(\"Codex oauth/token \u5931\u8d25: %s - %s\", resp.status_code, (resp.text or \"\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|ctf-reg/auth_flow.py|72|logger.warning codex oauth/token : s - s resp.status_code resp.text or"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-reg/auth_flow.py"}, "region": {"startLine": 725}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 27662, "scanner": "repobility-threat-engine", "fingerprint": "c9ba1cb2752eef08a30e0d3e16a1a347361b3fb2dd8069dca7d7bd3eb6f50978", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c9ba1cb2752eef08a30e0d3e16a1a347361b3fb2dd8069dca7d7bd3eb6f50978"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 27658, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 27654, "scanner": "repobility-threat-engine", "fingerprint": "a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 27653, "scanner": "repobility-threat-engine", "fingerprint": "224d0c2bf489534b04b903f2dd56ee595f3034c4343b7594b28fbbcad0fbdc41", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.randint(", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|ctf-reg/browser_register.py|46|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-reg/browser_register.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 27652, "scanner": "repobility-threat-engine", "fingerprint": "2967eec4d62d633ce1d5e37a98c79ab109c3cc04267a139819c658cad32efe3a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.randint(", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|ctf-reg/auth_flow.py|1662|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-reg/auth_flow.py"}, "region": {"startLine": 1662}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 27651, "scanner": "repobility-threat-engine", "fingerprint": "6d110cc314fd63f9248e26109e7bcd9a1c879fca9d93930e7a7457f8a57be843", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.randint(", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|ctf-pay/card.py|910|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-pay/card.py"}, "region": {"startLine": 910}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 27668, "scanner": "repobility-threat-engine", "fingerprint": "845b126421bd0c457bb808ebfbd6047b43e3c9caf46fe104d04d86740f4abaa0", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(f\"DELETE", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|webui/backend/db.py|200|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "webui/backend/db.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 27664, "scanner": "repobility-threat-engine", "fingerprint": "180af6a31a677802e73b30c4a65b854ce11143a613ef4b92e061ac51400b613e", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.debug(f\"PoW \u8ba1\u7b97\u6210\u529f, token \u957f\u5ea6: {len(token)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|12|logger.debug f pow token : len token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-reg/sentinel_v1_legacy.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 27663, "scanner": "repobility-threat-engine", "fingerprint": "b944a2f78a4120f1ed7d0c2ae53c0fa1b3f69d223f28c4f0f7bb47810c189ff4", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Formatted expression outputs a credential-bearing value directly.", "evidence": {"match": "logger.info(f\"[browser-reg] \u5bc6\u7801: {password}  \u59d3\u540d: {first_name} {last_name}\")", "reason": "Formatted expression outputs a credential-bearing value directly.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|ctf-reg/browser_register.py|15|logger.info f browser-reg : password : first_name last_name"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-reg/browser_register.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27657, "scanner": "repobility-threat-engine", "fingerprint": "aca5f357fba1d4b23b99b97d46b11eef73f385eea064200da75d88a65b387896", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(J", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aca5f357fba1d4b23b99b97d46b11eef73f385eea064200da75d88a65b387896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-reg/auth_flow.py"}, "region": {"startLine": 472}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27656, "scanner": "repobility-threat-engine", "fingerprint": "b558c5e82cf7c654ed9a49cf9afd0ec52c8c144108a9601753c5dd7181199a32", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b558c5e82cf7c654ed9a49cf9afd0ec52c8c144108a9601753c5dd7181199a32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-pay/hcaptcha_auto_solver.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27655, "scanner": "repobility-threat-engine", "fingerprint": "1a0d6a9e9e4a9bf83eebb5d297a30defbdd87b76659f840d78dbcc9f46a058b1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(create_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a0d6a9e9e4a9bf83eebb5d297a30defbdd87b76659f840d78dbcc9f46a058b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CTF-pay/card.py"}, "region": {"startLine": 3351}}}]}]}]}