{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `print_tools` has cognitive complexity 16 (SonarSource scale). Cognitive c", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `print_tools` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion a"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 16."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "QUAL003", "name": "Magic number used as default arg", "shortDescription": {"text": "Magic number used as default arg"}, "fullDescription": {"text": "Using hardcoded default values for complex configuration objects makes the code brittle and difficult to manage. Consider using a dedicated factory or builder pattern.\n\nAuto-promoted from proposal 444 on 2026-05-12. Synth confidence: 0.85. FP estimate: 0.00."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SUPC002", "name": "Supply chain \u2014 npm install without lockfile", "shortDescription": {"text": "Supply chain \u2014 npm install without lockfile"}, "fullDescription": {"text": "Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"scanner": "repobility", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 15 more): Same pattern found in 15 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive (and 32 more): Same pattern found in 32 additional files. Review if needed.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/ReflectorNet.dll` committed in source repo: `Unity-MCP-Plu", "shortDescription": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/ReflectorNet.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/ReflectorNet.dll` is a .dll binary (230,912 bytes) committed to a repo that otherwise has 606 s"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet/aspnet:9.0` not pinned by digest: `FROM mcr.microsoft.com/dotnet/as", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet/aspnet:9.0` not pinned by digest: `FROM mcr.microsoft.com/dotnet/aspnet:9.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is"}, "fullDescription": {"text": "Replace with: `FROM mcr.microsoft.com/dotnet/aspnet:9.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERRH003", "name": "except BaseException \u2014 catches SystemExit/KeyboardInterrupt", "shortDescription": {"text": "except BaseException \u2014 catches SystemExit/KeyboardInterrupt"}, "fullDescription": {"text": "except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"scanner": "repobility", "category": "error_handling", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.UNITY_MCP_TOOLS` on a `pull_request` trigger: This workflow triggers on `pull_request`", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.UNITY_MCP_TOOLS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UNITY_MCP_TOOLS }` lets a PR from any fork exfiltrate the se"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/188"}, "properties": {"repository": "IvanMurzak/Unity-MCP", "repoUrl": "https://github.com/IvanMurzak/Unity-MCP", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41003, "scanner": "repobility-ast-engine", "fingerprint": "df1b0357dfcaaa089e23fd9a837eb6b6c7cd82f27199c39bbf74b053b7c6bc02", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df1b0357dfcaaa089e23fd9a837eb6b6c7cd82f27199c39bbf74b053b7c6bc02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "commands/tools/validate_json_schema.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41002, "scanner": "repobility-ast-engine", "fingerprint": "1c5695f8357511618a973066d9eae6d941c92a1238dd924a8c7ff109730362a8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1c5695f8357511618a973066d9eae6d941c92a1238dd924a8c7ff109730362a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "commands/tools/validate_json_schema.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41001, "scanner": "repobility-ast-engine", "fingerprint": "8e683374015b3669b5e4888559af5e488c9a1b3b71a309eaae5f413e995e37f8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e683374015b3669b5e4888559af5e488c9a1b3b71a309eaae5f413e995e37f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "commands/tools/validate_mcp_openai.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41000, "scanner": "repobility-ast-engine", "fingerprint": "52a0b08401c150badc0412cad6b77c132c42fe5492bc7ad810ae48171a4b4394", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52a0b08401c150badc0412cad6b77c132c42fe5492bc7ad810ae48171a4b4394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "commands/tools/validate_mcp_openai.py"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 40999, "scanner": "repobility-ast-engine", "fingerprint": "54b111b8ab2b9b51e9c901af91229226a3bd6009d34aa7cff8992537e0f3cc15", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|54b111b8ab2b9b51e9c901af91229226a3bd6009d34aa7cff8992537e0f3cc15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "commands/tools/validate_mcp_openai.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 40998, "scanner": "repobility-ast-engine", "fingerprint": "06a282cbf75004a4072170bf52a68827d5ecd61ee2d8cb920a89ff588ed18bd9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06a282cbf75004a4072170bf52a68827d5ecd61ee2d8cb920a89ff588ed18bd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 40997, "scanner": "repobility-ast-engine", "fingerprint": "66b3cd976ec75509efacf3884324d7f53ebf02e8505ca982482214c8666687ca", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|66b3cd976ec75509efacf3884324d7f53ebf02e8505ca982482214c8666687ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 40996, "scanner": "repobility-ast-engine", "fingerprint": "df2649bce30f33104f7e6d2290c8eb2f4c482a01dff13b24f584daf041dfbc07", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df2649bce30f33104f7e6d2290c8eb2f4c482a01dff13b24f584daf041dfbc07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 40995, "scanner": "repobility-ast-engine", "fingerprint": "f16f2110a1afc910c7af66e45a0c50430d9fc2bd791c17be0560f79602d37c18", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f16f2110a1afc910c7af66e45a0c50430d9fc2bd791c17be0560f79602d37c18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `print_tools` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, for=2, if=5, nested_bonus=5, ternary=2."}, "properties": {"repobilityId": 40966, "scanner": "repobility-threat-engine", "fingerprint": "96f0dd21a7b12730fa8e33a67e787d68f5630f06e5c9f59662ca10c4ae0f2a0b", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 16 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "print_tools", "breakdown": {"if": 5, "for": 2, "else": 2, "ternary": 2, "nested_bonus": 5}, "complexity": 16, "correlation_key": "fp|96f0dd21a7b12730fa8e33a67e787d68f5630f06e5c9f59662ca10c4ae0f2a0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `fetch_tools` has cognitive complexity 22 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, elif=3, else=1, except=2, for=1, if=3, nested_bonus=11."}, "properties": {"repobilityId": 40965, "scanner": "repobility-threat-engine", "fingerprint": "1da6ab982a56123a5ad5cf35ef3811fc8b5666d602bef692281fcb22a74e75dd", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 22 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "fetch_tools", "breakdown": {"if": 3, "for": 1, "elif": 3, "else": 1, "except": 2, "continue": 1, "nested_bonus": 11}, "complexity": 22, "correlation_key": "fp|1da6ab982a56123a5ad5cf35ef3811fc8b5666d602bef692281fcb22a74e75dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21907, "scanner": "repobility", "fingerprint": "60e8bac35048712c00b8de1b368dd6c5", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 1920", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/root/Tests/Editor/Tool/Screenshot/ScreenshotCameraTests.cs"}, "region": {"startLine": 48}}}]}, {"ruleId": "SUPC002", "level": "warning", "message": {"text": "Supply chain \u2014 npm install without lockfile"}, "properties": {"repobilityId": 15659, "scanner": "repobility", "fingerprint": "d31ce32daa49c11e3ea2d40a4dcb6f93", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "npm install", "aljefra_cwe": ["CWE-1357"], "aljefra_owasp": "A06:2021", "aljefra_pattern_slug": "npm-install-no-lockfile"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/root/Editor/Scripts/Skills/Skill_InitialSetup.cs"}, "region": {"startLine": 62}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14026, "scanner": "repobility", "fingerprint": "806cf444a839a6c7bb792efc626cffa8", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/root/Tests/Editor/UI/TomlAiAgentConfigTests.cs"}, "region": {"startLine": 359}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14025, "scanner": "repobility", "fingerprint": "5182b6f8e2ea8c73c05f8a404438b688", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/root/Tests/Editor/UI/TomlAiAgentConfigTests.cs"}, "region": {"startLine": 192}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 5332, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5331, "scanner": "repobility-docker", "fingerprint": "227125c4b7b980a19d7fb08a6b36c7525a368b64743b1c4724aedafd1624b934", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet/aspnet:9.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|227125c4b7b980a19d7fb08a6b36c7525a368b64743b1c4724aedafd1624b934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5321, "scanner": "repobility-ai-code-hygiene", "fingerprint": "825819aed04e489af57cffe1167b22733e722802cee2dc1bf32e018c70d4d5d1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.FindBuiltIn.cs", "duplicate_line": 1, "correlation_key": "fp|825819aed04e489af57cffe1167b22733e722802cee2dc1bf32e018c70d4d5d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Modify.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 5313, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4747a4a0f283aa8824e1f09801689a051f2dd9749b7f7be0f7db1f567371f8b8", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "copy", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.cs", "correlation_key": "fp|4747a4a0f283aa8824e1f09801689a051f2dd9749b7f7be0f7db1f567371f8b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Copy.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40994, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1696c2d1c6665d088af4399e2e9f2df0e3f1ec2e7d93e2a041dde80e2ffaf83d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|1696c2d1c6665d088af4399e2e9f2df0e3f1ec2e7d93e2a041dde80e2ffaf83d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/MoveAssetsResponse.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40993, "scanner": "repobility-ai-code-hygiene", "fingerprint": "81695aef2986efe9cb4dd4485e6a2d1a95b5b2fc46b783efa78778953a35b1fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|81695aef2986efe9cb4dd4485e6a2d1a95b5b2fc46b783efa78778953a35b1fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/ModifyObjectResponse.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40992, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b19469844e0ec751bd8517ae2ea227a3f3b08236bb82fc8d911101a03dc28c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|9b19469844e0ec751bd8517ae2ea227a3f3b08236bb82fc8d911101a03dc28c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/ModifyComponentResponse.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40991, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4af96d358c83a7d56b671dd3950ca65f9e3e6427272aeef94cf2368875dbe47", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/GetComponentResponse.cs", "duplicate_line": 11, "correlation_key": "fp|f4af96d358c83a7d56b671dd3950ca65f9e3e6427272aeef94cf2368875dbe47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/GetComponentResponse.pre-Unity.6.5.cs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40990, "scanner": "repobility-ai-code-hygiene", "fingerprint": "71d06ce6feea4e7b045985603ab7076bbb31f678d7e83b98522e2eeb3957c821", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|71d06ce6feea4e7b045985603ab7076bbb31f678d7e83b98522e2eeb3957c821"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/GetComponentResponse.pre-Unity.6.5.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40989, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c68f36d7bad051fa82d18a6960a6427acd8fe3a803dac17c7625abca208704ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|c68f36d7bad051fa82d18a6960a6427acd8fe3a803dac17c7625abca208704ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/GetComponentResponse.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40988, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78d0ef8c84b696431504015d4d95585efed93042894b9b383313f07a910cd5fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|78d0ef8c84b696431504015d4d95585efed93042894b9b383313f07a910cd5fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/EditorStatsData.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40987, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b4a30ef6cdc0a76b438c5633c22dd05277d1170b45a656a68bfa792f91005bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/DestroyGameObjectResult.cs", "duplicate_line": 11, "correlation_key": "fp|5b4a30ef6cdc0a76b438c5633c22dd05277d1170b45a656a68bfa792f91005bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/DestroyGameObjectResult.pre-Unity.6.5.cs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40986, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f222620693c39794a0916071f1f3585b3f096b735cb0974911d908f9a44ac585", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|f222620693c39794a0916071f1f3585b3f096b735cb0974911d908f9a44ac585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/DestroyGameObjectResult.pre-Unity.6.5.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40985, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a2f23815394ef4ebb1f2a4e8070164f1f6ffdce81b7f9a1e537f6ea4f022d1e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|6a2f23815394ef4ebb1f2a4e8070164f1f6ffdce81b7f9a1e537f6ea4f022d1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/DestroyGameObjectResult.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40984, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bb37e77987e3d423898bd37e3e41bbb94aa545fc060982a2ef91048b79b551a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|0bb37e77987e3d423898bd37e3e41bbb94aa545fc060982a2ef91048b79b551a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/DestroyComponentsResponse.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40983, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0258253c6a914c1ac9d0518ddc0c796280439712218ba0a01476c7378e9cb8aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|0258253c6a914c1ac9d0518ddc0c796280439712218ba0a01476c7378e9cb8aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/DeleteAssetsResponse.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40982, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2436bea9e3333d1c564a30d6d3ead42d9b7adc44dfef690a045836a7504f8752", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|2436bea9e3333d1c564a30d6d3ead42d9b7adc44dfef690a045836a7504f8752"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/CreateFolderResponse.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40981, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d504953f72d2ca54a7ca482788ce3cc886653ca76fa7a1008a4d5fdf19cbc1e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|d504953f72d2ca54a7ca482788ce3cc886653ca76fa7a1008a4d5fdf19cbc1e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/CreateFolderInput.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40980, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ffe5ce26c10a9fed73006c173ff26f25ddb21c45b217013f5b7478245d26699", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/AddComponentResponse.cs", "duplicate_line": 1, "correlation_key": "fp|8ffe5ce26c10a9fed73006c173ff26f25ddb21c45b217013f5b7478245d26699"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Data/ComponentListResult.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40979, "scanner": "repobility-ai-code-hygiene", "fingerprint": "604230d33113605c7e711aa65edb0155a5db5d45ec1f6ae430ba774abe2df65e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.GetData.cs", "duplicate_line": 62, "correlation_key": "fp|604230d33113605c7e711aa65edb0155a5db5d45ec1f6ae430ba774abe2df65e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Shader.GetData.cs"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40978, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1a7b799dda9d9878f73b0eebb2d2de5eda8a3708df22df646d9e0bb9d18b7c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.FindBuiltIn.cs", "duplicate_line": 1, "correlation_key": "fp|d1a7b799dda9d9878f73b0eebb2d2de5eda8a3708df22df646d9e0bb9d18b7c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Shader.GetData.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40977, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6027d39da08c88427614df69f022bbb5f5c7318e4a15ded132f4bb0b72f35eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Prefab.Close.cs", "duplicate_line": 1, "correlation_key": "fp|f6027d39da08c88427614df69f022bbb5f5c7318e4a15ded132f4bb0b72f35eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Prefab.Save.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40976, "scanner": "repobility-ai-code-hygiene", "fingerprint": "603f58c95c69b123cd86de9740370517f50420fd3da17190ff6992e3883f133c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Prefab.Close.cs", "duplicate_line": 1, "correlation_key": "fp|603f58c95c69b123cd86de9740370517f50420fd3da17190ff6992e3883f133c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Prefab.Open.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `show_schema_preview` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=1, if=4, nested_bonus=7."}, "properties": {"repobilityId": 40967, "scanner": "repobility-threat-engine", "fingerprint": "5316f8dd3a4e348fad01613d7d672b4d70df649a4dd55411417632a0dbbcb076", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "show_schema_preview", "breakdown": {"if": 4, "for": 1, "else": 1, "nested_bonus": 7}, "complexity": 13, "correlation_key": "fp|5316f8dd3a4e348fad01613d7d672b4d70df649a4dd55411417632a0dbbcb076"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "commands/tools/validate_json_schema.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 5326, "scanner": "repobility-ai-code-hygiene", "fingerprint": "92627b2196fa459e512bc9071067e29d63a840c52fa7712fd411693fd08e5da6", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "Tool_Assets", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.CreateFolders.cs", "correlation_key": "fp|92627b2196fa459e512bc9071067e29d63a840c52fa7712fd411693fd08e5da6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Copy.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5325, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27c0f85e9102541241e48dcc5d375b9ebf5394178bf38bd59481d3d544e04b5a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Prefab.Close.cs", "duplicate_line": 1, "correlation_key": "fp|27c0f85e9102541241e48dcc5d375b9ebf5394178bf38bd59481d3d544e04b5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Prefab.Instantiate.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5324, "scanner": "repobility-ai-code-hygiene", "fingerprint": "283e80a980757e20b4606d994b3fdd53246e9336aaf9f5c2eca1252ae5d134c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Prefab.Close.cs", "duplicate_line": 1, "correlation_key": "fp|283e80a980757e20b4606d994b3fdd53246e9336aaf9f5c2eca1252ae5d134c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Prefab.Create.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5323, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05bfbb6cc9be611bd09165318d7c99cec5313d1d09ebcf63d461c6011602ebb6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Modify.cs", "duplicate_line": 18, "correlation_key": "fp|05bfbb6cc9be611bd09165318d7c99cec5313d1d09ebcf63d461c6011602ebb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Modify.pre-Unity.6.5.cs"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5322, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bce4195e1d70d885add6dcf03cdc0fd6046b94318ec71f74252a3f1985bee76", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.FindBuiltIn.cs", "duplicate_line": 1, "correlation_key": "fp|0bce4195e1d70d885add6dcf03cdc0fd6046b94318ec71f74252a3f1985bee76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Modify.pre-Unity.6.5.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5320, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78287f3eef11719aaa803bdd4acc76afa0bc836c1a1c78b8241331f12eb2ea64", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.CreateFolders.cs", "duplicate_line": 1, "correlation_key": "fp|78287f3eef11719aaa803bdd4acc76afa0bc836c1a1c78b8241331f12eb2ea64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.Delete.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5319, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94a19843a5d8b74eeb78c31b67fb354b1ae91d7e60b0f4a83c513568495d00db", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/AnimationTimeline.cs", "duplicate_line": 1, "correlation_key": "fp|94a19843a5d8b74eeb78c31b67fb354b1ae91d7e60b0f4a83c513568495d00db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/ScriptingCode.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5318, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7af4cb219bb94900901ede7fb01fd8b46df8c4ae2f24d88f73314a6596f4b852", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/AnimationTimeline.cs", "duplicate_line": 1, "correlation_key": "fp|7af4cb219bb94900901ede7fb01fd8b46df8c4ae2f24d88f73314a6596f4b852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/SceneManagement.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5317, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e413da35a46a572a8a315f104b601fd0010ff86ccaef763e32ad6d339c4b64a5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/AnimationTimeline.cs", "duplicate_line": 1, "correlation_key": "fp|e413da35a46a572a8a315f104b601fd0010ff86ccaef763e32ad6d339c4b64a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/GameObjectComponent.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5316, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a53d7aafb4432014cb623e40aa69c42ad77c6e1dae1a5322de7c44d9438e3fbb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/AnimationTimeline.cs", "duplicate_line": 1, "correlation_key": "fp|a53d7aafb4432014cb623e40aa69c42ad77c6e1dae1a5322de7c44d9438e3fbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/DebuggingTesting.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5315, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ff80a08e388eb27b9df0f8032a1264ac336f560f92c404f55e9ac0692f73c9c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/AnimationTimeline.cs", "duplicate_line": 1, "correlation_key": "fp|5ff80a08e388eb27b9df0f8032a1264ac336f560f92c404f55e9ac0692f73c9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Prompt/AssetManagement.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5314, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4a63fc0aa8d03fc249ce3c1e86d3b8ad9c012d51ea73df98c537839e5ad588c9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/DependencyResolver/NuGetPackageInstaller.cs", "duplicate_line": 1, "correlation_key": "fp|4a63fc0aa8d03fc249ce3c1e86d3b8ad9c012d51ea73df98c537839e5ad588c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/DependencyResolver/NuGetPackageRestorer.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 40975, "scanner": "repobility-threat-engine", "fingerprint": "1df0a032f08c2003ff10af02e49c4b65306d1dbb212e6ff07d6d11708e489fdd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1df0a032f08c2003ff10af02e49c4b65306d1dbb212e6ff07d6d11708e489fdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "commands/tools/validate_json_schema.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40974, "scanner": "repobility-threat-engine", "fingerprint": "633d6e7d221f29a869cdb2a3474cbae2bdb56a557262f4c6883bb1ebdb061a58", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|633d6e7d221f29a869cdb2a3474cbae2bdb56a557262f4c6883bb1ebdb061a58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/utils/manifest.ts"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 40972, "scanner": "repobility-threat-engine", "fingerprint": "67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "aggregated_count": 4}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40971, "scanner": "repobility-threat-engine", "fingerprint": "3fae759947493934d7312a4609bcd060e146a43488c3a3703e29dc9c138b5b05", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3fae759947493934d7312a4609bcd060e146a43488c3a3703e29dc9c138b5b05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/setup-skills.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40970, "scanner": "repobility-threat-engine", "fingerprint": "8a02ebc9f4ca5b1722b87b154fa89a8149627fc31ad914ba6963998615c4b453", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a02ebc9f4ca5b1722b87b154fa89a8149627fc31ad914ba6963998615c4b453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/setup-mcp.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40969, "scanner": "repobility-threat-engine", "fingerprint": "c5b67e4925e0487e83f3f2a5765d2c4eb287b1af4c4c432679c79d42ea51d589", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5b67e4925e0487e83f3f2a5765d2c4eb287b1af4c4c432679c79d42ea51d589"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/run-tool-builder.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 40968, "scanner": "repobility-threat-engine", "fingerprint": "33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "fetch_tools", "breakdown": {"if": 3, "for": 1, "elif": 3, "else": 1, "except": 2, "continue": 1, "nested_bonus": 11}, "aggregated": true, "complexity": 22, "correlation_key": "fp|33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "aggregated_count": 1}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40964, "scanner": "repobility-threat-engine", "fingerprint": "cb347275f467a0d33491289fa28b9edd47b454b82cc1d684b1c62b35e1e47803", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb347275f467a0d33491289fa28b9edd47b454b82cc1d684b1c62b35e1e47803"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 40962, "scanner": "repobility-threat-engine", "fingerprint": "fb6f2e836d0e4c95ce6b1de566a2a781cfda8dd45b4aeff21da304b8e23a4ccf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fb6f2e836d0e4c95ce6b1de566a2a781cfda8dd45b4aeff21da304b8e23a4ccf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/Skills/Skill_InitialSetup.cs"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 40958, "scanner": "repobility-threat-engine", "fingerprint": "626b968a51905fab68488b914668d7d2e59a6d38ac62d921861aaee76f35958d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|626b968a51905fab68488b914668d7d2e59a6d38ac62d921861aaee76f35958d"}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "properties": {"repobilityId": 40954, "scanner": "repobility-threat-engine", "fingerprint": "f48cfad9373a17bfe300a9ed3be5aaa2b16c7d0768c6279cbde226caa8f4df89", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f48cfad9373a17bfe300a9ed3be5aaa2b16c7d0768c6279cbde226caa8f4df89", "aggregated_count": 32}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 40953, "scanner": "repobility-threat-engine", "fingerprint": "f99d41426f2e007701f42bfa39a34d780c4754352f7b06e8d42e76cbd25f35b6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f99d41426f2e007701f42bfa39a34d780c4754352f7b06e8d42e76cbd25f35b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/Tool/Assets.FindBuiltIn.cs"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 40952, "scanner": "repobility-threat-engine", "fingerprint": "dc7ca6d575f7d9bd8e48cd95704a5059ee0e345a18aa0ebe04879234ddb37879", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc7ca6d575f7d9bd8e48cd95704a5059ee0e345a18aa0ebe04879234ddb37879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/API/SystemTool/Skills.Generate.cs"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 40951, "scanner": "repobility-threat-engine", "fingerprint": "bec75a5e07e9bd1c7b2b6295266cbe3d22f3d774bcd05f6dedd033f0b1b34529", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bec75a5e07e9bd1c7b2b6295266cbe3d22f3d774bcd05f6dedd033f0b1b34529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Installer/Assets/com.IvanMurzak/AI Game Dev Installer/Installer.Manifest.cs"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC002", "level": "none", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 5329, "scanner": "repobility-threat-engine", "fingerprint": "10f96fdc6178f1974ed24af596b21180c84f49afd74ec7313ca6cd493f6a81a2", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "API_KEY='<redacted>'", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "commands/tools/validate_mcp_openai.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5328, "scanner": "repobility-threat-engine", "fingerprint": "33fd15f5368ab104781eae82752b3c1565416fb43f66c04b4102e3046e2c0a5f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(f\"{Colors.RED}Error: OPENAI_API_KEY not found.{Colors.RESET}\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|print f colors.red error: openai_api_key not found. colors.reset"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "commands/tools/validate_mcp_openai.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5327, "scanner": "repobility-threat-engine", "fingerprint": "73119129606ed2df75067fe9168eb4a9fee63b3267f89c44246262433bb99a16", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "print(\"[red]Error: SERVER_TOKEN not set in .env file[/red]\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|22|print red error: server_token not set in .env file /red"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/ReflectorNet.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/ReflectorNet.dll` is a .dll binary (230,912 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41058, "scanner": "repobility-supply-chain", "fingerprint": "fa4c74d9f48b0dec5bd400cecbb47b7eeb1711d9adc2165107d3a468417bf6e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa4c74d9f48b0dec5bd400cecbb47b7eeb1711d9adc2165107d3a468417bf6e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/ReflectorNet.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Text.Json.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Text.Json.dll` is a .dll binary (608,520 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41057, "scanner": "repobility-supply-chain", "fingerprint": "fe69b9bc17bf3969658e0ea1940612b0a912ebffe704dc8d8c7f6286ceb25070", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe69b9bc17bf3969658e0ea1940612b0a912ebffe704dc8d8c7f6286ceb25070"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Text.Json.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.SignalR.Common.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.SignalR.Common.dll` is a .dll binary (44,840 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41056, "scanner": "repobility-supply-chain", "fingerprint": "f542ddf562aebd18b0598635f93f8ef1e7380c632c257047dced4208c7330d33", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f542ddf562aebd18b0598635f93f8ef1e7380c632c257047dced4208c7330d33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.SignalR.Common.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Hosting.Abstractions.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Hosting.Abstractions.dll` is a .dll binary (54,568 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41055, "scanner": "repobility-supply-chain", "fingerprint": "b92af0439aa77df0fc16dd3a37e0e54fe13df091d9b86c7efa5bbc06e8524f44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b92af0439aa77df0fc16dd3a37e0e54fe13df091d9b86c7efa5bbc06e8524f44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Hosting.Abstractions.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.DependencyInjection.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.DependencyInjection.dll` is a .dll binary (96,040 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41054, "scanner": "repobility-supply-chain", "fingerprint": "ed485ba9fd8be72e21a01cb0a97a35de070bab3b8c8b8b85e19e3f065188edb5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed485ba9fd8be72e21a01cb0a97a35de070bab3b8c8b8b85e19e3f065188edb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.DependencyInjection.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.FileProviders.Abstractions.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.FileProviders.Abstractions.dll` is a .dll binary (25,864 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41053, "scanner": "repobility-supply-chain", "fingerprint": "46e2fce22a4223ff4f5343c2a8abfb04ce9f150baa0001b745128c55623333ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46e2fce22a4223ff4f5343c2a8abfb04ce9f150baa0001b745128c55623333ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.FileProviders.Abstractions.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.SignalR.Client.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.SignalR.Client.dll` is a .dll binary (24,376 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41052, "scanner": "repobility-supply-chain", "fingerprint": "697a30045fcbb5bad892a17dcef9e5715bc8829d116799df0c67da4f9606eb28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|697a30045fcbb5bad892a17dcef9e5715bc8829d116799df0c67da4f9606eb28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.SignalR.Client.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Bcl.TimeProvider.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Bcl.TimeProvider.dll` is a .dll binary (32,432 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41051, "scanner": "repobility-supply-chain", "fingerprint": "c99043090b50d3943074232dc4f2392f9ba7f663dfbca713a21f3e551dec21e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c99043090b50d3943074232dc4f2392f9ba7f663dfbca713a21f3e551dec21e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Bcl.TimeProvider.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.SignalR.Client.Core.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.SignalR.Client.Core.dll` is a .dll binary (199,448 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41050, "scanner": "repobility-supply-chain", "fingerprint": "39814e307926e3e8fcbe6cb882a25f2981d7df64156fec416f345abb72dc9a58", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39814e307926e3e8fcbe6cb882a25f2981d7df64156fec416f345abb72dc9a58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.SignalR.Client.Core.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Memory.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Memory.dll` is a .dll binary (142,752 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41049, "scanner": "repobility-supply-chain", "fingerprint": "eb238043e436c8094c8d1c8faecfda80905cbe203596982b9538571647d6311e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb238043e436c8094c8d1c8faecfda80905cbe203596982b9538571647d6311e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Memory.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.Http.Connections.Client.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.Http.Connections.Client.dll` is a .dll binary (121,640 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41048, "scanner": "repobility-supply-chain", "fingerprint": "68c19ffdf09f63d2d95112a848da4923194ee3126b28afa4a94f6bb207517a7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68c19ffdf09f63d2d95112a848da4923194ee3126b28afa4a94f6bb207517a7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.Http.Connections.Client.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.CodeAnalysis.CSharp.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.CodeAnalysis.CSharp.dll` is a .dll binary (8,005,280 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41047, "scanner": "repobility-supply-chain", "fingerprint": "ec99fa826c7e7f3ffa9b2d0dc6a266ffd8aa758d9d2b5185484e91cff35421c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec99fa826c7e7f3ffa9b2d0dc6a266ffd8aa758d9d2b5185484e91cff35421c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.CodeAnalysis.CSharp.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Caching.Abstractions.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Caching.Abstractions.dll` is a .dll binary (34,576 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41046, "scanner": "repobility-supply-chain", "fingerprint": "221fff3997db513fd6f008e2e98ba13d81c502c587652bd168634b68789bb6a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|221fff3997db513fd6f008e2e98ba13d81c502c587652bd168634b68789bb6a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Caching.Abstractions.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Runtime.CompilerServices.Unsafe.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Runtime.CompilerServices.Unsafe.dll` is a .dll binary (19,256 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41045, "scanner": "repobility-supply-chain", "fingerprint": "5065a314b6ef1651af8ebf8aaee834d7ecdd7580f2c113ac81624fd343d8d77f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5065a314b6ef1651af8ebf8aaee834d7ecdd7580f2c113ac81624fd343d8d77f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Runtime.CompilerServices.Unsafe.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Threading.Tasks.Extensions.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Threading.Tasks.Extensions.dll` is a .dll binary (25,984 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41044, "scanner": "repobility-supply-chain", "fingerprint": "2fb7ab6fe9931ea25a0325fbccf9a82690cbd13e5c0f4613a582978d41cefa40", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2fb7ab6fe9931ea25a0325fbccf9a82690cbd13e5c0f4613a582978d41cefa40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Threading.Tasks.Extensions.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Reflection.Metadata.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Reflection.Metadata.dll` is a .dll binary (466,560 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41043, "scanner": "repobility-supply-chain", "fingerprint": "44c0ea9d574b509f6bf154eeb7d90560433fdf0d536986c3f7bbe59423d23042", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44c0ea9d574b509f6bf154eeb7d90560433fdf0d536986c3f7bbe59423d23042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Reflection.Metadata.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/R3.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/R3.dll` is a .dll binary (601,600 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41042, "scanner": "repobility-supply-chain", "fingerprint": "5ec187b889cff84a67041d4d3227376f9a83dfe07486f6fce88026f3bd82116c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ec187b889cff84a67041d4d3227376f9a83dfe07486f6fce88026f3bd82116c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/R3.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Bcl.AsyncInterfaces.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Bcl.AsyncInterfaces.dll` is a .dll binary (19,104 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41041, "scanner": "repobility-supply-chain", "fingerprint": "762793864170ee116f9b1beb918759e34ce927123498da4b8d9d769f347be6cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|762793864170ee116f9b1beb918759e34ce927123498da4b8d9d769f347be6cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Bcl.AsyncInterfaces.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.ComponentModel.Annotations.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.ComponentModel.Annotations.dll` is a .dll binary (89,992 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41040, "scanner": "repobility-supply-chain", "fingerprint": "ea593d9b61c22120357850806dc86c33696135d0f7eff510d5a9c4fb1c42d960", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea593d9b61c22120357850806dc86c33696135d0f7eff510d5a9c4fb1c42d960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/System.ComponentModel.Annotations.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Numerics.Vectors.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Numerics.Vectors.dll` is a .dll binary (163,712 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41039, "scanner": "repobility-supply-chain", "fingerprint": "92428337b9036823fd2ee93e0bdeae02632eadd99aa3eda4205eff68170fbca8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92428337b9036823fd2ee93e0bdeae02632eadd99aa3eda4205eff68170fbca8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Numerics.Vectors.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Buffers.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Buffers.dll` is a .dll binary (21,376 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41038, "scanner": "repobility-supply-chain", "fingerprint": "33ca507a57c7aa6c30f3560cd2a2697da2fe8781955f6a15a389d8a1c39c3a27", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33ca507a57c7aa6c30f3560cd2a2697da2fe8781955f6a15a389d8a1c39c3a27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/System.Buffers.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.CodeAnalysis.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.CodeAnalysis.dll` is a .dll binary (4,706,480 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41037, "scanner": "repobility-supply-chain", "fingerprint": "b74ebf54c37cfb152cbe2aeba2c383f6efcd1f25d9923b9bec5c9b4c250d6ca5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b74ebf54c37cfb152cbe2aeba2c383f6efcd1f25d9923b9bec5c9b4c250d6ca5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.CodeAnalysis.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.Connections.Abstractions.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.Connections.Abstractions.dll` is a .dll binary (41,264 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41036, "scanner": "repobility-supply-chain", "fingerprint": "9e0c5117219f3111e9e5f25f46cc894ea9c19b1d75c9026c7ae74fce10df26dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e0c5117219f3111e9e5f25f46cc894ea9c19b1d75c9026c7ae74fce10df26dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.AspNetCore.Connections.Abstractions.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Diagnostics.Abstractions.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Diagnostics.Abstractions.dll` is a .dll binary (34,600 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41035, "scanner": "repobility-supply-chain", "fingerprint": "b3be703bfd3689ab0bc86429dca85a5a5e5cd96b30ee67865abe37b2948750b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b3be703bfd3689ab0bc86429dca85a5a5e5cd96b30ee67865abe37b2948750b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Diagnostics.Abstractions.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Primitives.dll` committed in source repo: `Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Primitives.dll` is a .dll binary (49,936 bytes) committed to a repo that otherwise has 606 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 41034, "scanner": "repobility-supply-chain", "fingerprint": "8d1acea9339ed0d5c0f5f9a49111d45eca9334305343aafa5a5c783675a29e5d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d1acea9339ed0d5c0f5f9a49111d45eca9334305343aafa5a5c783675a29e5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Assets/Plugins/NuGet/Microsoft.Extensions.Primitives.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41033, "scanner": "repobility-supply-chain", "fingerprint": "672e0eb46370ad22b139840235079cfa4734060c13badc0cb568782901047a49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|672e0eb46370ad22b139840235079cfa4734060c13badc0cb568782901047a49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mukunku/tag-exists-action` pinned to mutable ref `@v1.7.0`: `uses: mukunku/tag-exists-action@v1.7.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41032, "scanner": "repobility-supply-chain", "fingerprint": "6b41c67c6ca1194631b5d080a706b948b31deb92410a40ce73c1da221ef6cc08", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b41c67c6ca1194631b5d080a706b948b31deb92410a40ce73c1da221ef6cc08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `WyriHaximus/github-action-get-previous-tag` pinned to mutable ref `@v2`: `uses: WyriHaximus/github-action-get-previous-tag@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41031, "scanner": "repobility-supply-chain", "fingerprint": "fd40ff892c54b972b1227a3cafef5006ddfdac5f541abc471298357b35cdfe12", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd40ff892c54b972b1227a3cafef5006ddfdac5f541abc471298357b35cdfe12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `martinbeentjes/npm-get-version-action` pinned to mutable ref `@v1.3.1`: `uses: martinbeentjes/npm-get-version-action@v1.3.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41030, "scanner": "repobility-supply-chain", "fingerprint": "474ee18a2fa101a234e601a158dea42934357b1d90a8971c131b5c39fecf0885", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|474ee18a2fa101a234e601a158dea42934357b1d90a8971c131b5c39fecf0885"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41029, "scanner": "repobility-supply-chain", "fingerprint": "0847fc84f7c6c5d7af6bd0b29edad61064d58039bf905d176fa1bb49ee9d3f2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0847fc84f7c6c5d7af6bd0b29edad61064d58039bf905d176fa1bb49ee9d3f2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41028, "scanner": "repobility-supply-chain", "fingerprint": "0c22de7f6b129bc2f90dcf7a9895f2810dafa8431c8b23305cf361092b2878dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c22de7f6b129bc2f90dcf7a9895f2810dafa8431c8b23305cf361092b2878dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41027, "scanner": "repobility-supply-chain", "fingerprint": "fbe04425738de4e74fb9ab13fe837525b84e3c704a7020505d62b4742072057c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbe04425738de4e74fb9ab13fe837525b84e3c704a7020505d62b4742072057c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41026, "scanner": "repobility-supply-chain", "fingerprint": "248d264f2a0e1e2ce99be08047d0bcc419fa28fff3a363f12def23678a81710b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|248d264f2a0e1e2ce99be08047d0bcc419fa28fff3a363f12def23678a81710b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41025, "scanner": "repobility-supply-chain", "fingerprint": "421333aa64b0ce2b23ab1788e805bafc50b79d2c339b4c780b2886e984086299", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|421333aa64b0ce2b23ab1788e805bafc50b79d2c339b4c780b2886e984086299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_unity_plugin.yml"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `game-ci/unity-test-runner` pinned to mutable ref `@v4`: `uses: game-ci/unity-test-runner@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41024, "scanner": "repobility-supply-chain", "fingerprint": "43528bdb5e5627453d6e10db9f6615ce66bbdc8030b26d41bc9a322ef49de98b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43528bdb5e5627453d6e10db9f6615ce66bbdc8030b26d41bc9a322ef49de98b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_unity_plugin.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41023, "scanner": "repobility-supply-chain", "fingerprint": "2548157114d70eb2c1df57bbddb7c738416546de32b700d574517f88b308d179", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2548157114d70eb2c1df57bbddb7c738416546de32b700d574517f88b308d179"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_unity_plugin.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `jlumbroso/free-disk-space` pinned to mutable ref `@main`: `uses: jlumbroso/free-disk-space@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41022, "scanner": "repobility-supply-chain", "fingerprint": "c8d6a3f7964c6572ddf0f85a38bc4be368dbfd1f2e5a23714f9791373b3656a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8d6a3f7964c6572ddf0f85a38bc4be368dbfd1f2e5a23714f9791373b3656a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_unity_plugin.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41021, "scanner": "repobility-supply-chain", "fingerprint": "de5430779a0b9a3a2742898aeee1a43b90c17c9ee4bce66d2343e3433c7e4482", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|de5430779a0b9a3a2742898aeee1a43b90c17c9ee4bce66d2343e3433c7e4482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_unity_plugin.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41020, "scanner": "repobility-supply-chain", "fingerprint": "ff4406c9301aea59015ef28c39aaaf8ca93f9551264fae2b470de00de53f1fca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff4406c9301aea59015ef28c39aaaf8ca93f9551264fae2b470de00de53f1fca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_cli.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41019, "scanner": "repobility-supply-chain", "fingerprint": "98f7f5276532584b4bbc51c652b5e2519cdd7f687ae378e1d3fae56286bbf50f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98f7f5276532584b4bbc51c652b5e2519cdd7f687ae378e1d3fae56286bbf50f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_cli.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41018, "scanner": "repobility-supply-chain", "fingerprint": "b4cef919d26302fce0b3fd4753c21c33dfb744503a25dcec062dc9286627a773", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4cef919d26302fce0b3fd4753c21c33dfb744503a25dcec062dc9286627a773"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41017, "scanner": "repobility-supply-chain", "fingerprint": "f821f72d57bbeddd981af0319b696f6894236316719f9a380fda9169bb4d70a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f821f72d57bbeddd981af0319b696f6894236316719f9a380fda9169bb4d70a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41016, "scanner": "repobility-supply-chain", "fingerprint": "53556c609a1ae596b840f6076a60635f3e536bd278be5a8d4dbc7956c922acc1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|53556c609a1ae596b840f6076a60635f3e536bd278be5a8d4dbc7956c922acc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `NuGet/login` pinned to mutable ref `@v1`: `uses: NuGet/login@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41015, "scanner": "repobility-supply-chain", "fingerprint": "ec4ac2c19613b2c77eae97018dc68db7c47c48390c55dfb4f4b0c2c6d779a5dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec4ac2c19613b2c77eae97018dc68db7c47c48390c55dfb4f4b0c2c6d779a5dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41014, "scanner": "repobility-supply-chain", "fingerprint": "a8322e85f051ad144f588af1f65f77b9a6184bd40e9554e354ccd87db1a3ca27", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8322e85f051ad144f588af1f65f77b9a6184bd40e9554e354ccd87db1a3ca27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41013, "scanner": "repobility-supply-chain", "fingerprint": "cef83e0e4dccdaa9ab2289ed09461c2fa6537ca7433d47573bf1721cb6cc9f01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cef83e0e4dccdaa9ab2289ed09461c2fa6537ca7433d47573bf1721cb6cc9f01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41009, "scanner": "repobility-supply-chain", "fingerprint": "fc1dceb011ddb731eeed35ce46f63c9e0c78a4b91c5f955473d24a64358289de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc1dceb011ddb731eeed35ce46f63c9e0c78a4b91c5f955473d24a64358289de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41008, "scanner": "repobility-supply-chain", "fingerprint": "6c92f3d88cc733ca222031f4ad7e1719a62240213cb26f55bbd02be57d78db28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c92f3d88cc733ca222031f4ad7e1719a62240213cb26f55bbd02be57d78db28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_pull_request.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41007, "scanner": "repobility-supply-chain", "fingerprint": "30e03e257d121dc6d4263f6fb532df7a0f39aa21ead16b10a13983b4f0f1a80f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|30e03e257d121dc6d4263f6fb532df7a0f39aa21ead16b10a13983b4f0f1a80f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_pull_request.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41006, "scanner": "repobility-supply-chain", "fingerprint": "dd6753b84aca82cc15a2ca607fb78f66cdab8b3ca4ed83f0d079b074a1e24e02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd6753b84aca82cc15a2ca607fb78f66cdab8b3ca4ed83f0d079b074a1e24e02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_pull_request.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet/aspnet:9.0` not pinned by digest: `FROM mcr.microsoft.com/dotnet/aspnet:9.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41005, "scanner": "repobility-supply-chain", "fingerprint": "2cdc83d885e3f4d99147671eb2216e5384c3d550657e6bb860a43e3424846c37", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2cdc83d885e3f4d99147671eb2216e5384c3d550657e6bb860a43e3424846c37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet/sdk:9.0` not pinned by digest: `FROM mcr.microsoft.com/dotnet/sdk:9.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41004, "scanner": "repobility-supply-chain", "fingerprint": "7fcfc18cf78cd6caf266bf64f5b29b28b1c0ceffab4d0ad2abf356f146ee5a5e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7fcfc18cf78cd6caf266bf64f5b29b28b1c0ceffab4d0ad2abf356f146ee5a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 40973, "scanner": "repobility-threat-engine", "fingerprint": "1c1e3293f4dd6d215d405a09e98a9a5b99b2a9af7322d8ebe7723b3c30214b8d", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(options.input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|cli/src/utils/input.ts|38|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/utils/input.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 40963, "scanner": "repobility-threat-engine", "fingerprint": "346f81a844fc9246e95509f36109baa05abf2a34742ca50a9b98dc01ec343353", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|346f81a844fc9246e95509f36109baa05abf2a34742ca50a9b98dc01ec343353"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 235}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40961, "scanner": "repobility-threat-engine", "fingerprint": "9e141aad1b8dacaefc522e6c0809ac0ca60362736ebfe8fa8665d9547b95ac9e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(U", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9e141aad1b8dacaefc522e6c0809ac0ca60362736ebfe8fa8665d9547b95ac9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/UI/Window/UpdatePopupWindow.cs"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40960, "scanner": "repobility-threat-engine", "fingerprint": "050fb672e713f34e27670ac3e3fbc9cd7659ea27319f6ac75b7b91a1da6cb1a1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|050fb672e713f34e27670ac3e3fbc9cd7659ea27319f6ac75b7b91a1da6cb1a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/UI/MenuItems.cs"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40959, "scanner": "repobility-threat-engine", "fingerprint": "253e6b45463ffd2a8508bb7ee1dc8a2ea93b0e39fd1113eb52d8af82489f01a3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|253e6b45463ffd2a8508bb7ee1dc8a2ea93b0e39fd1113eb52d8af82489f01a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/Scripts/Services/DeviceAuthFlow.cs"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40957, "scanner": "repobility-threat-engine", "fingerprint": "d78db40a6cd9f144a4d7b234eeaf801fedc9fe800b0e58cf69fd3eabdf4e8d89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "NuGetInstallManifest.Save(NuGetConfig.InstallPath, rebuilt);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d78db40a6cd9f144a4d7b234eeaf801fedc9fe800b0e58cf69fd3eabdf4e8d89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/DependencyResolver/NuGetPackageRestorer.cs"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40956, "scanner": "repobility-threat-engine", "fingerprint": "2436cf0101a9a978ab840e5ca172432ff607aae7e404093c59a6e4a53aa69a2c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "File.Delete(filePath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2436cf0101a9a978ab840e5ca172432ff607aae7e404093c59a6e4a53aa69a2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/DependencyResolver/NuGetLegacyMigration.cs"}, "region": {"startLine": 201}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40955, "scanner": "repobility-threat-engine", "fingerprint": "9656b066adcdb2421baa13405cdcd37a61aafdd589fe6d86f0b4bf6b92f64d9e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "File.Delete(cachedPath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9656b066adcdb2421baa13405cdcd37a61aafdd589fe6d86f0b4bf6b92f64d9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Plugin/Packages/com.ivanmurzak.unity.mcp/Editor/DependencyResolver/NuGetDownloader.cs"}, "region": {"startLine": 75}}}]}, {"ruleId": "ERRH003", "level": "error", "message": {"text": "except BaseException \u2014 catches SystemExit/KeyboardInterrupt"}, "properties": {"repobilityId": 18550, "scanner": "repobility", "fingerprint": "8b6a74ff3163a9d597526c612384ccb7", "category": "error_handling", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "except KeyboardInterrupt", "aljefra_cwe": ["CWE-705"], "aljefra_owasp": null, "aljefra_pattern_slug": "overcatch-baseexception"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/MCP-Test-Client/mcp_client.py"}, "region": {"startLine": 235}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 5330, "scanner": "repobility-docker", "fingerprint": "97a3a569ef8d87b7ae38a77c4799685b4cba6a3f4d890e8f6a71ded7588b4e56", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|97a3a569ef8d87b7ae38a77c4799685b4cba6a3f4d890e8f6a71ded7588b4e56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Unity-MCP-Server/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UNITY_MCP_TOOLS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UNITY_MCP_TOOLS }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 41012, "scanner": "repobility-supply-chain", "fingerprint": "d9a16a5619d773d3546d8741f2b665c7a58d797e1ba262c418ab95ac72ed7ca9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9a16a5619d773d3546d8741f2b665c7a58d797e1ba262c418ab95ac72ed7ca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UNITY_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UNITY_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 41011, "scanner": "repobility-supply-chain", "fingerprint": "c168d90984abfec9718de1fe14fbb16a7cadaaa5b0c260faab57d5999e0fefef", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c168d90984abfec9718de1fe14fbb16a7cadaaa5b0c260faab57d5999e0fefef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UNITY_EMAIL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UNITY_EMAIL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 41010, "scanner": "repobility-supply-chain", "fingerprint": "c3adb8a0dc5822e33a23b4450ae5b54f211b96db6675a4bd34d1a80ca637ce61", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3adb8a0dc5822e33a23b4450ae5b54f211b96db6675a4bd34d1a80ca637ce61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 43}}}]}]}]}