{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/256"}, "properties": {"repository": "allmonday/pydantic-resolve", "repoUrl": "https://github.com/allmonday/pydantic-resolve", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 8006, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 8005, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 55, "file_path": "demo/use_case/app_with_context.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 36, "file_path": "demo/use_case/app.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 19, "file_path": "demo/graphql/app.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 12, "file_path": "pydantic_resolve/use_case/context.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 8004, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "FastAPI", "GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 8003, "scanner": "repobility-threat-engine", "fingerprint": "bff3853da732aab93296fb1111396d68f9c362137c7767a527646f4abb8d2b68", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bff3853da732aab93296fb1111396d68f9c362137c7767a527646f4abb8d2b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pydantic_resolve/graphql/schema/generators/sdl_builder.py"}, "region": {"startLine": 537}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 8002, "scanner": "repobility-threat-engine", "fingerprint": "265339b6c17c1c26e25490d8f7f7a73c38d4bc2ccf505279e95705b2412e2f4d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|265339b6c17c1c26e25490d8f7f7a73c38d4bc2ccf505279e95705b2412e2f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pydantic_resolve/graphql/schema/type_collector.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 8001, "scanner": "repobility-threat-engine", "fingerprint": "1a1fa8d7005b2ac6a05d9fceef9bc5278bbb4760589a029ca43dbd3206e53c90", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a1fa8d7005b2ac6a05d9fceef9bc5278bbb4760589a029ca43dbd3206e53c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pydantic_resolve/utils/class_util.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 8000, "scanner": "repobility-agent-runtime", "fingerprint": "382b1d8a674d4981487fa9649a28194b74be16e165faf8485046c0ad7f8254ff", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|382b1d8a674d4981487fa9649a28194b74be16e165faf8485046c0ad7f8254ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/use_case/mcp_server.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 7999, "scanner": "repobility-agent-runtime", "fingerprint": "5ece7568caf894909b3e0666a1a4996ebf82b9ea3598949cf7b1d16609eb751b", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5ece7568caf894909b3e0666a1a4996ebf82b9ea3598949cf7b1d16609eb751b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/use_case/app.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7998, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a53add23daa48a45dd465859b5bfb0cfb70b618b503b72c75d6936a3f9e08ee0", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/integration/sqlalchemy/conftest.py", "duplicate_line": 64, "correlation_key": "fp|a53add23daa48a45dd465859b5bfb0cfb70b618b503b72c75d6936a3f9e08ee0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/integration/tortoise/conftest.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7997, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47ac9653d500038069c313a47368e09cc945a3dafe29573e5a5435a57edd3376", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/integration/django/dto.py", "duplicate_line": 2, "correlation_key": "fp|47ac9653d500038069c313a47368e09cc945a3dafe29573e5a5435a57edd3376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/integration/tortoise/conftest.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7996, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eedf316a0a5344b7d331b49877714b5877882e5755b15849472f5c4d24d03b00", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/integration/django/dto.py", "duplicate_line": 2, "correlation_key": "fp|eedf316a0a5344b7d331b49877714b5877882e5755b15849472f5c4d24d03b00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/integration/sqlalchemy/conftest.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7995, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25018b43529900a8b5495e9975b35407dba036334eb47cadcd50f90e219be0da", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pydantic_resolve/integration/django/loader.py", "duplicate_line": 29, "correlation_key": "fp|25018b43529900a8b5495e9975b35407dba036334eb47cadcd50f90e219be0da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pydantic_resolve/integration/tortoise/loader.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7994, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c1830bcbe83e7118393f684cc49a7cddef82d55c84f6a189fdf0212a5dfc26c8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pydantic_resolve/integration/django/inspector.py", "duplicate_line": 12, "correlation_key": "fp|c1830bcbe83e7118393f684cc49a7cddef82d55c84f6a189fdf0212a5dfc26c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pydantic_resolve/integration/tortoise/inspector.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7993, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c6e372be6e8760a91ee10e69a54db47b782057b3a5f47bc79ace53c0a424076", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pydantic_resolve/integration/django/inspector.py", "duplicate_line": 13, "correlation_key": "fp|8c6e372be6e8760a91ee10e69a54db47b782057b3a5f47bc79ace53c0a424076"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pydantic_resolve/integration/sqlalchemy/inspector.py"}, "region": {"startLine": 20}}}]}]}]}