{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Intervals created in React hooks or components should be cleared on unmount. Missing cleanup can keep stale callbacks alive after recording, polling, or overlay components close."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 526 lines (recommend <300)", "shortDescription": {"text": "Average file size is 526 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `add` has cognitive complexity 13 (SonarSource scale). Cognitive complexit", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `add` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 13."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `tools/closure-compiler/closure-compiler-v20181008.jar` committed in source repo", "shortDescription": {"text": "Binary file `tools/closure-compiler/closure-compiler-v20181008.jar` committed in source repo"}, "fullDescription": {"text": "`tools/closure-compiler/closure-compiler-v20181008.jar` is a .jar binary (7,765,647 bytes) committed to a repo that otherwise has 72 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1192"}, "properties": {"repository": "CDrummond/lms-material", "repoUrl": "https://github.com/CDrummond/lms-material", "branch": "master"}, "results": [{"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 119735, "scanner": "repobility-threat-engine", "fingerprint": "cd58eeb2b31fb6dcf752be6f13abee217851ca1fef430a8d146f08c3f200ccb0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd58eeb2b31fb6dcf752be6f13abee217851ca1fef430a8d146f08c3f200ccb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "update-lang.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 119724, "scanner": "repobility-threat-engine", "fingerprint": "1fb40d865b31f6836c9af0267656cfaef6b84ee8d64160daecb7d4332b2b665f", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a class=\"lms-link\" :href=\"item.text\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|16|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/info-dialog.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 119723, "scanner": "repobility-threat-engine", "fingerprint": "ee2a674b76a3a355997f6853464ca35fd5fa23a57d034d37e842e1e1bccdc150", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(doReplacements(action.weblink, player, item)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|182|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/customactions.js"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 119717, "scanner": "repobility-threat-engine", "fingerprint": "7b2372c6dd5aa38f2b75b7aef7fde04cae861c5b505ba4407b7b883aadb1ccbc", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|31|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/icon-mapping.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 119716, "scanner": "repobility-threat-engine", "fingerprint": "d149a944c424459cb8bd83b8c9462754a2b0144df66e0f357488588786e6cf63", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|26|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/customactions.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 119715, "scanner": "repobility-threat-engine", "fingerprint": "f4e40667694844c796616311a4231524b3120f4e2204a7a4513e91269b2b94ca", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|200|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/constants.js"}, "region": {"startLine": 200}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 119713, "scanner": "repobility-threat-engine", "fingerprint": "8be500e0bf51f8819d77c0d2934a9d2b9f0ce785970156b264c6fefbaf8b2519", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {\n                    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8be500e0bf51f8819d77c0d2934a9d2b9f0ce785970156b264c6fefbaf8b2519"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/currentcover.js"}, "region": {"startLine": 127}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 119712, "scanner": "repobility-threat-engine", "fingerprint": "a6ccdcd05f93e2465af20ffeca559e23e89022f389be7c6cf4f24ef0dce1880d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(e) { }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6ccdcd05f93e2465af20ffeca559e23e89022f389be7c6cf4f24ef0dce1880d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/constants.js"}, "region": {"startLine": 200}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 119711, "scanner": "repobility-threat-engine", "fingerprint": "c942cfef2e77749a017b5e300fe5f8a6d22ee863bd64bd700f89b290e7895478", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(e) { }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c942cfef2e77749a017b5e300fe5f8a6d22ee863bd64bd700f89b290e7895478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/bottomnav.js"}, "region": {"startLine": 81}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 119710, "scanner": "repobility-agent-runtime", "fingerprint": "f1a48b70d6b725d8980e1d06218c5ac38d2fe9c1fb5ce424442c4739755462c5", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|f1a48b70d6b725d8980e1d06218c5ac38d2fe9c1fb5ce424442c4739755462c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/utils.js"}, "region": {"startLine": 501}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 119709, "scanner": "repobility-agent-runtime", "fingerprint": "58af0a5bb2723c366abad1fbfc05d70ec1859ffcb19ddbe9aa06fc7b1ef51478", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|58af0a5bb2723c366abad1fbfc05d70ec1859ffcb19ddbe9aa06fc7b1ef51478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/server.js"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 119707, "scanner": "repobility-ast-engine", "fingerprint": "a7bccd15e96b2a8147a16492a2e18b66d5d280bd7c3ae47140c32acf22383800", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7bccd15e96b2a8147a16492a2e18b66d5d280bd7c3ae47140c32acf22383800"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mkrel.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 119706, "scanner": "repobility-ast-engine", "fingerprint": "25dcfc3485756a3173ad3c59193d01cec1fb39ddceb9ad2d3ee73e8fe2fbceb5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|25dcfc3485756a3173ad3c59193d01cec1fb39ddceb9ad2d3ee73e8fe2fbceb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mkrel.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 526 lines (recommend <300)"}, "properties": {"repobilityId": 119698, "scanner": "repobility-core", "fingerprint": "e9ff6fe63f34798d158b3135fb0b115b4b067801a2be1f242be180d7767bd0fc", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|e9ff6fe63f34798d158b3135fb0b115b4b067801a2be1f242be180d7767bd0fc"}}}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 119697, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `add` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, for=1, if=5, nested_bonus=6."}, "properties": {"repobilityId": 119737, "scanner": "repobility-threat-engine", "fingerprint": "470cf996e539a295b234eb3420cf390b8470eedd84d74079a1ede86c69ca820e", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "add", "breakdown": {"if": 5, "for": 1, "elif": 1, "nested_bonus": 6}, "complexity": 13, "correlation_key": "fp|470cf996e539a295b234eb3420cf390b8470eedd84d74079a1ede86c69ca820e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "update-lang.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 119728, "scanner": "repobility-threat-engine", "fingerprint": "bf35656cb5709b13e9a4455b10794dcf694c6449baa324f9a4314198dc00a24c", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"html/misc/\"+name+\".json?r=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf35656cb5709b13e9a4455b10794dcf694c6449baa324f9a4314198dc00a24c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/icon-mapping.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66da05187a99d2c2be662d0d162f536117a1ae19e7d7326e408a34fd3d74b7d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MaterialSkin/HTML/material/html/js/groupvolume-dialog.js", "duplicate_line": 314, "correlation_key": "fp|66da05187a99d2c2be662d0d162f536117a1ae19e7d7326e408a34fd3d74b7d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/volume.js"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43a340c322c2aad205ca63b7dc2b3377174d8b09eff8753cfc9b9e285ab3cff3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MaterialSkin/HTML/material/html/js/navdrawer.js", "duplicate_line": 282, "correlation_key": "fp|43a340c322c2aad205ca63b7dc2b3377174d8b09eff8753cfc9b9e285ab3cff3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/toolbar.js"}, "region": {"startLine": 156}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db026003ff21383746b31309aff2eb03651e5be59ffa785d6450cee6f58d5ef2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MaterialSkin/HTML/material/html/js/addtoplaylist-dialog.js", "duplicate_line": 25, "correlation_key": "fp|db026003ff21383746b31309aff2eb03651e5be59ffa785d6450cee6f58d5ef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/savequeue-dialog.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c4ac0d16557867f16e872872a01f0f4758c0f099de4e4b1c93561249b09e5a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MaterialSkin/HTML/material/html/js/npshare-dialog.js", "duplicate_line": 520, "correlation_key": "fp|4c4ac0d16557867f16e872872a01f0f4758c0f099de4e4b1c93561249b09e5a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/rating-dialog.js"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6fa28f2cdeed475644109646643ce98483cca8307a66ddf65f49738e87aec79", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MaterialSkin/HTML/material/html/js/favorite-dialog.js", "duplicate_line": 152, "correlation_key": "fp|d6fa28f2cdeed475644109646643ce98483cca8307a66ddf65f49738e87aec79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/info-dialog.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9bcdc710d6e72d8450a94ed26497a3a6368c966901c3e03da2492c4656b85f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MaterialSkin/HTML/material/html/js/dstm-dialog.js", "duplicate_line": 21, "correlation_key": "fp|d9bcdc710d6e72d8450a94ed26497a3a6368c966901c3e03da2492c4656b85f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/icon-dialog.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 119699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56a72b1c2bc18a42d2919763a40ab86543b2b04b1642c41d83a4688510572317", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MaterialSkin/HTML/material/html/js/choice-dialog.js", "duplicate_line": 142, "correlation_key": "fp|56a72b1c2bc18a42d2919763a40ab86543b2b04b1642c41d83a4688510572317"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/groupplayers-dialog.js"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 119734, "scanner": "repobility-threat-engine", "fingerprint": "65174b5833e3cba3d8b653839e3401dedbb8cf532240a6e45402890f84144d59", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65174b5833e3cba3d8b653839e3401dedbb8cf532240a6e45402890f84144d59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "update-lang.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 119729, "scanner": "repobility-threat-engine", "fingerprint": "70bbd39c5b314a41aa9c911c39f23a101a2476dda7402eb20f1c001f861ca561", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|70bbd39c5b314a41aa9c911c39f23a101a2476dda7402eb20f1c001f861ca561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/mediasession.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 119727, "scanner": "repobility-threat-engine", "fingerprint": "374365a36b1f5131f88bf58f6859432b15b2af2fb7665da814c3cbbe5d7bf486", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|374365a36b1f5131f88bf58f6859432b15b2af2fb7665da814c3cbbe5d7bf486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/rating-dialog.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 119726, "scanner": "repobility-threat-engine", "fingerprint": "d580f09182cbd5082c1b6e996f110f9093833c6b09067f228197db623d026d90", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d580f09182cbd5082c1b6e996f110f9093833c6b09067f228197db623d026d90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/icon-mapping.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 119725, "scanner": "repobility-threat-engine", "fingerprint": "876d6df37f9dd43f8f0bbc8e53cf494ee23237cf56a6cea163b41a7075bda454", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|876d6df37f9dd43f8f0bbc8e53cf494ee23237cf56a6cea163b41a7075bda454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/customactions.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 119714, "scanner": "repobility-threat-engine", "fingerprint": "60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e"}}}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 119739, "scanner": "repobility-journey-contract", "fingerprint": "fd7e9e63feef07d9a54cf1b4f1e07de8d5b8f806297cd8c8bea438354568b2fa", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|8|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/EN/plugins/MaterialSkin/settings/basic.html"}, "region": {"startLine": 8}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `extract` has cognitive complexity 31 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=7, if=6, nested_bonus=18."}, "properties": {"repobilityId": 119736, "scanner": "repobility-threat-engine", "fingerprint": "14a0444d7d80a51e7668c2b04747365615f1a96e77348eb572ef0938149cd60d", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 31 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "extract", "breakdown": {"if": 6, "for": 7, "nested_bonus": 18}, "complexity": 31, "correlation_key": "fp|14a0444d7d80a51e7668c2b04747365615f1a96e77348eb572ef0938149cd60d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "update-lang.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 119733, "scanner": "repobility-threat-engine", "fingerprint": "4f1c80b728a2bcf0bc54ce792c57ef6b149d9c18bcb5b2e561bd2af6cf9e60a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f1c80b728a2bcf0bc54ce792c57ef6b149d9c18bcb5b2e561bd2af6cf9e60a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "update-lang.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 119732, "scanner": "repobility-threat-engine", "fingerprint": "2eef407477faa4c102078dac08f9c9a53ff2d4dc25e6f564dd1b08b2a232df5f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2eef407477faa4c102078dac08f9c9a53ff2d4dc25e6f564dd1b08b2a232df5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/vuetify/trim.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 119731, "scanner": "repobility-threat-engine", "fingerprint": "f5b89643242d475ba36caba3ae0d5ffc37154722188f2a4bff953c2866f9595f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entries.update(untranslated)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f5b89643242d475ba36caba3ae0d5ffc37154722188f2a4bff953c2866f9595f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "update-lang.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 119730, "scanner": "repobility-threat-engine", "fingerprint": "832f8460a4b1cd5ea119a83834f654ff7be077eac6c6886cccd226f2e3645074", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.fetch(plugin);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|832f8460a4b1cd5ea119a83834f654ff7be077eac6c6886cccd226f2e3645074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/player-settings-plugin.js"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 119722, "scanner": "repobility-threat-engine", "fingerprint": "d83aee86f575ee1025fa90942f10b91ce8a8a52cb594cb9989753f2feda012a1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(D", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d83aee86f575ee1025fa90942f10b91ce8a8a52cb594cb9989753f2feda012a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/currentcover.js"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 119718, "scanner": "repobility-threat-engine", "fingerprint": "79e5489e03aa3b4b104c3add3c5b4e1846fec11f129f97be33f4a17f56633270", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(platform", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|79e5489e03aa3b4b104c3add3c5b4e1846fec11f129f97be33f4a17f56633270"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/constants.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `tools/closure-compiler/closure-compiler-v20181008.jar` committed in source repo"}, "properties": {"repobilityId": 119708, "scanner": "repobility-supply-chain", "fingerprint": "5676cb73cd4dfb403f3988e293d81d2abb2153eb5881d7fcd47dbc95611c717f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5676cb73cd4dfb403f3988e293d81d2abb2153eb5881d7fcd47dbc95611c717f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/closure-compiler/closure-compiler-v20181008.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 119696, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 119738, "scanner": "gitleaks", "fingerprint": "0f29f1dd74a15970a1d5dd9c62217bffc000b9d46aeac30f5bfb6d7fe5d53062", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "LASTFM_API_KEY = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|materialskin/plugin.pm|6|lastfm_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/Plugin.pm"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 119721, "scanner": "repobility-threat-engine", "fingerprint": "c0fcc130188d4fdc96fbc8aaba57b21a650c2e80ae1eeacbc4521da524d14fb5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c0fcc130188d4fdc96fbc8aaba57b21a650c2e80ae1eeacbc4521da524d14fb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/icon-mapping.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 119720, "scanner": "repobility-threat-engine", "fingerprint": "c688c43eb7f00a98bc4e35e8899c98bf512ae7299ec2b522f0d471d439d448f0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c688c43eb7f00a98bc4e35e8899c98bf512ae7299ec2b522f0d471d439d448f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/customactions.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 119719, "scanner": "repobility-threat-engine", "fingerprint": "e8f6f867e7e44d8973adb964a3e075be0120e153243298cfc18a1badd3059430", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8f6f867e7e44d8973adb964a3e075be0120e153243298cfc18a1badd3059430"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MaterialSkin/HTML/material/html/js/constants.js"}, "region": {"startLine": 200}}}]}]}]}