{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC008", "name": "Vendored upstream framework tree is mixed with application code", "shortDescription": {"text": "Vendored upstream framework tree is mixed with application code"}, "fullDescription": {"text": "Prefer package management, submodules, or a clearly isolated vendor path. If the copy is intentional, add scanner ignore rules and document the supported customization boundaries."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED098] Global Scope Pollution (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username (and 43 more): Same pattern found in 43 additional files. Review if needed.", "shortDescription": {"text": "[MINED053] Placeholder Default Username (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 267 more): Same pattern found in 267 ad", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 267 more): Same pattern found in 267 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED123", "name": "[MINED123] Trojan Source bidi character (LRM) in source: Line 896 contains a Unicode bidirectional override character (U", "shortDescription": {"text": "[MINED123] Trojan Source bidi character (LRM) in source: Line 896 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see diff"}, "fullDescription": {"text": "Audit the line manually. If the character is not intentional (it almost never is in code), remove it. Configure your editor / pre-commit hook to reject bidi controls in source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/707"}, "properties": {"repository": "wordpress/wordpress", "repoUrl": "https://github.com/wordpress/wordpress", "branch": "master"}, "results": [{"ruleId": "AIC008", "level": "warning", "message": {"text": "Vendored upstream framework tree is mixed with application code"}, "properties": {"repobilityId": 56757, "scanner": "repobility-ai-code-hygiene", "fingerprint": "867d6d20bc5f80ad06d507fd16a0892142f9e3b812d3d3d3700af62cd313c21a", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a known upstream application/framework directory.", "evidence": {"rule_id": "AIC008", "scanner": "repobility-ai-code-hygiene", "directory": "wp-includes", "references": ["https://arxiv.org/abs/2601.15195", "https://git-scm.com/docs/gitignore"], "correlation_key": "fp|867d6d20bc5f80ad06d507fd16a0892142f9e3b812d3d3d3700af62cd313c21a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC008", "level": "warning", "message": {"text": "Vendored upstream framework tree is mixed with application code"}, "properties": {"repobilityId": 56756, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed96d6567fc171d234ae87fc4feb2125332077acf2f9f61438dc9363ad2f6f79", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a known upstream application/framework directory.", "evidence": {"rule_id": "AIC008", "scanner": "repobility-ai-code-hygiene", "directory": "wp-admin", "references": ["https://arxiv.org/abs/2601.15195", "https://git-scm.com/docs/gitignore"], "correlation_key": "fp|ed96d6567fc171d234ae87fc4feb2125332077acf2f9f61438dc9363ad2f6f79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin"}, "region": {"startLine": 1}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 56755, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 56753, "scanner": "repobility-threat-engine", "fingerprint": "5d2ade284ed143d8577283a4d31e081078a0ba57f1955ec7d467d585e48d767d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString( 36 ).substring( 2, 12 );\n\t\t\t\tsource.src += '#?secret=' + secret", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d2ade284ed143d8577283a4d31e081078a0ba57f1955ec7d467d585e48d767d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/wp-embed.js"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 56752, "scanner": "repobility-threat-engine", "fingerprint": "b0e88ccb8d665bd3fa93a6ba978050af27ae99c287f6c5ef91e05a7af9008de7", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here | [R34 auto-suppress: framework-internal path]", "evidence": {"match": "secret = <redacted>", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here | [R34 auto-suppress: framework-internal path]", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "code|crypto|wp-includes/js/wp-embed.js|99|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/wp-embed.js"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 56745, "scanner": "repobility-threat-engine", "fingerprint": "290d550d156bf9b816ff1a3cd6ddae7fb5d9c98375607c84a13baecc2799bb6b", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"{{ data.model.src }}\" target=\"_blank\" class=\"media-widget-video-link\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|261|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/widgets/class-wp-widget-media-video.php"}, "region": {"startLine": 261}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 56744, "scanner": "repobility-threat-engine", "fingerprint": "494a49c017e94e1f3cf261469f889ded0485db9d9bfda31ee3a729fa724e128a", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a class=\"wp-block-navigation-item__content\"';\n\n\t\t// The href attribute on a and area elements is no", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|194|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/blocks/navigation-submenu.php"}, "region": {"startLine": 194}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 56738, "scanner": "repobility-threat-engine", "fingerprint": "e27933b9e435eebd26f1c2e5052d2db863a8896469da9d660e9cc39cba017901", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|43|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/jquery/ui/effect-fold.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 56737, "scanner": "repobility-threat-engine", "fingerprint": "93fccc7b5e18f04572f27eb9d9e2f3edf9dd7d511518fd2fd3dad07d4293dfc0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new function(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|14|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/codemirror/fakejshint.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 56736, "scanner": "repobility-threat-engine", "fingerprint": "eacb42ba53d07565a0e0bc9b67fde762ad9cb4dda46eb672a34d715ec0c5c9a2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|33|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentytwentyone/assets/js/customize-helpers.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 56735, "scanner": "repobility-threat-engine", "fingerprint": "a43e6516dcd6d2383ce1fd80f4adc9da0487f8dd4964a84cd8ee19b11c97e81f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a43e6516dcd6d2383ce1fd80f4adc9da0487f8dd4964a84cd8ee19b11c97e81f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/inc/block-patterns.php"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 56730, "scanner": "repobility-threat-engine", "fingerprint": "2f5ab4306c409aae23e80a6a436f3dc2d021550c4c8c375459c57bcc76ba0487", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = data.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f5ab4306c409aae23e80a6a436f3dc2d021550c4c8c375459c57bcc76ba0487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/wp-embed.js"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 56729, "scanner": "repobility-threat-engine", "fingerprint": "aae1be5b992b01d88c6eec5284750008dff2fdd3623fbd822d0153381e80a89d", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.location = zipUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aae1be5b992b01d88c6eec5284750008dff2fdd3623fbd822d0153381e80a89d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/privacy-tools.js"}, "region": {"startLine": 91}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 56720, "scanner": "repobility-threat-engine", "fingerprint": "0fa7b331b5b08a68337287a70acf30a69a1196c2f9cb518ea60704e5516775e0", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: framework-internal path]", "evidence": {"match": "catch ( error ) {}", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: framework-internal path]", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "fp|0fa7b331b5b08a68337287a70acf30a69a1196c2f9cb518ea60704e5516775e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/svg-painter.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 56719, "scanner": "repobility-threat-engine", "fingerprint": "37bccbc8462e160fe7601ccf1fdfaae2cca93dd69583dd5e2eebdabbdbe353e0", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: framework-internal path]", "evidence": {"match": "catch ( er ) {}", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: framework-internal path]", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "fp|37bccbc8462e160fe7601ccf1fdfaae2cca93dd69583dd5e2eebdabbdbe353e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/privacy-tools.js"}, "region": {"startLine": 323}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 56718, "scanner": "repobility-threat-engine", "fingerprint": "31c625fbc14762453a5827b812725c24fa02fb0797763c512fd1a2e795e5dbe7", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: framework-internal path]", "evidence": {"match": "catch( e ) {}", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: framework-internal path]", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "fp|31c625fbc14762453a5827b812725c24fa02fb0797763c512fd1a2e795e5dbe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/media-upload.js"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 56713, "scanner": "repobility-threat-engine", "fingerprint": "1d729ba14de0ec2727846d4ab011f530af4367fe80a8d1bbe0db141573965459", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (1.6 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: framework-internal path]", "evidence": {"match": "password = '<redacted>'", "reason": "Low entropy value (1.6 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: framework-internal path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|11|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/network/site-new.php"}, "region": {"startLine": 111}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 56687, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56792, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bfe160dc1c45371472f6b7f73c0940582c702367d4d9fe8e263c2bc474891852", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfourteen/content-aside.php", "duplicate_line": 1, "correlation_key": "fp|bfe160dc1c45371472f6b7f73c0940582c702367d4d9fe8e263c2bc474891852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfourteen/content-link.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56791, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bde272c61a0f2af2b95e15b566d0e459d2bf6ef0a75ea3cac52f822ef35ba941", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfourteen/content-aside.php", "duplicate_line": 1, "correlation_key": "fp|bde272c61a0f2af2b95e15b566d0e459d2bf6ef0a75ea3cac52f822ef35ba941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfourteen/content-image.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56790, "scanner": "repobility-ai-code-hygiene", "fingerprint": "619b8903233d6988ccff2fd4fe671c1dc3d6b01c200c6ec035e5569f82feae18", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfourteen/content-aside.php", "duplicate_line": 1, "correlation_key": "fp|619b8903233d6988ccff2fd4fe671c1dc3d6b01c200c6ec035e5569f82feae18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfourteen/content-gallery.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56789, "scanner": "repobility-ai-code-hygiene", "fingerprint": "388444d98b10e84d436ca3d46ea6be0e05f7aee2f8ccec7d71726bc50db18b8b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfourteen/content-aside.php", "duplicate_line": 1, "correlation_key": "fp|388444d98b10e84d436ca3d46ea6be0e05f7aee2f8ccec7d71726bc50db18b8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfourteen/content-audio.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56788, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76760d720cd1abd183168189ebf2af553e70e41fce6c2982889a274baf2efa1d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfourteen/archive.php", "duplicate_line": 21, "correlation_key": "fp|76760d720cd1abd183168189ebf2af553e70e41fce6c2982889a274baf2efa1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfourteen/category.php"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56787, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91306bc2e86dd3a9fa4f6829a789ce614405f3a5d9a02d87f843cdfdec66c6c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfourteen/archive.php", "duplicate_line": 22, "correlation_key": "fp|91306bc2e86dd3a9fa4f6829a789ce614405f3a5d9a02d87f843cdfdec66c6c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfourteen/author.php"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56786, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e575c231aa13527a344527d1bfe74c11a856f9744c7533ce0ac08cf5aae45aa1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/archive.php", "duplicate_line": 16, "correlation_key": "fp|e575c231aa13527a344527d1bfe74c11a856f9744c7533ce0ac08cf5aae45aa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfifteen/search.php"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56785, "scanner": "repobility-ai-code-hygiene", "fingerprint": "beb0e79faff68094921614aee04d0b48428dc1dcb2de26da6de37113e893f571", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/archive.php", "duplicate_line": 12, "correlation_key": "fp|beb0e79faff68094921614aee04d0b48428dc1dcb2de26da6de37113e893f571"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfifteen/index.php"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56784, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23397293c5c45b3ae9a2eddde883012c9194632fd6f9873818b5ea858df40eb4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/inc/custom-header.php", "duplicate_line": 136, "correlation_key": "fp|23397293c5c45b3ae9a2eddde883012c9194632fd6f9873818b5ea858df40eb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfifteen/inc/customizer.php"}, "region": {"startLine": 464}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56783, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bed34bd1b32a16a5619d848d58b65073433b00683a32750f095196fddda49a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/content-page.php", "duplicate_line": 13, "correlation_key": "fp|0bed34bd1b32a16a5619d848d58b65073433b00683a32750f095196fddda49a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfifteen/image.php"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56782, "scanner": "repobility-ai-code-hygiene", "fingerprint": "151934b072fd88927cc0167939e344317806e24447f8d4546492466e3cf55e48", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/content-page.php", "duplicate_line": 13, "correlation_key": "fp|151934b072fd88927cc0167939e344317806e24447f8d4546492466e3cf55e48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfifteen/content.php"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56781, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f77dca22be746d3acb21f85c5d0a36e0d393c06bfe13dc7ac104e8454c6f79cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/content-link.php", "duplicate_line": 15, "correlation_key": "fp|f77dca22be746d3acb21f85c5d0a36e0d393c06bfe13dc7ac104e8454c6f79cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfifteen/content.php"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56780, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d7e2a7ae2a215699502e5b5a67750f4e978eb217c0d3f1dbeedc3761c2c2bb5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/archive.php", "duplicate_line": 20, "correlation_key": "fp|8d7e2a7ae2a215699502e5b5a67750f4e978eb217c0d3f1dbeedc3761c2c2bb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/tag.php"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56779, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fdc6289d4e9f3a15b0bdf1c41855f3b910d9cd2dedc7ec6b08b684993cd8b73f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/category.php", "duplicate_line": 16, "correlation_key": "fp|fdc6289d4e9f3a15b0bdf1c41855f3b910d9cd2dedc7ec6b08b684993cd8b73f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/tag.php"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56778, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e33d0a2a0da9c0d092ba9fc6aa171a430bb6b041a5dd1f7787adbbe7c9332c11", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/page.php", "duplicate_line": 1, "correlation_key": "fp|e33d0a2a0da9c0d092ba9fc6aa171a430bb6b041a5dd1f7787adbbe7c9332c11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/sidebar-page.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56777, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74c41180a98455cb5df43c4275643d33113b0e5168d2b7581e9db9b5d942f562", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/archive.php", "duplicate_line": 18, "correlation_key": "fp|74c41180a98455cb5df43c4275643d33113b0e5168d2b7581e9db9b5d942f562"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/search.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56776, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e5b6186fe1a4eabd2050eb710eafe64f497d3bdb080918dc00cd19c516afa1f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/archive.php", "duplicate_line": 29, "correlation_key": "fp|4e5b6186fe1a4eabd2050eb710eafe64f497d3bdb080918dc00cd19c516afa1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/index.php"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56775, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3319e6ef8c83cab7c00824376284f02821489607b4ec760941f28278e0519075", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/content-gallery.php", "duplicate_line": 43, "correlation_key": "fp|3319e6ef8c83cab7c00824376284f02821489607b4ec760941f28278e0519075"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/content.php"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56774, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd31617949895e0f18f65e586a0503a6a0cecef8da7a55d7149a39f41a65c8e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/content-aside.php", "duplicate_line": 9, "correlation_key": "fp|dd31617949895e0f18f65e586a0503a6a0cecef8da7a55d7149a39f41a65c8e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/content.php"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56773, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0cfb70169026457230d308e360ef4b3bfc53a5bb7f7a7b461616a81ba2cec477", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/content-aside.php", "duplicate_line": 8, "correlation_key": "fp|0cfb70169026457230d308e360ef4b3bfc53a5bb7f7a7b461616a81ba2cec477"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/content-status.php"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56772, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c7096b6cb417c7a75b063038c6dca4b2fdd3a98a1068015cfe0da679b2bfcf83", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/content-page.php", "duplicate_line": 6, "correlation_key": "fp|c7096b6cb417c7a75b063038c6dca4b2fdd3a98a1068015cfe0da679b2bfcf83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/content-single.php"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56771, "scanner": "repobility-ai-code-hygiene", "fingerprint": "52e867ae29b053e0bb4bce0bd8b2f80b652a78bb1010d1f33e2f15710c3e54e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/content-gallery.php", "duplicate_line": 43, "correlation_key": "fp|52e867ae29b053e0bb4bce0bd8b2f80b652a78bb1010d1f33e2f15710c3e54e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/content-quote.php"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56770, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea1782da03813839294f7b391a2236d7b1a3e9ae837ceef904affc06c13d5d5b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/content-aside.php", "duplicate_line": 9, "correlation_key": "fp|ea1782da03813839294f7b391a2236d7b1a3e9ae837ceef904affc06c13d5d5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/content-quote.php"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56769, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42ce3cd4377a3bae11e5009cc5d5d2db63dd2d28978ff26b7abacc6779aff752", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/content-aside.php", "duplicate_line": 8, "correlation_key": "fp|42ce3cd4377a3bae11e5009cc5d5d2db63dd2d28978ff26b7abacc6779aff752"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/content-link.php"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56768, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fb9d9203b5bbbe8c13ca477f1c8a8bc6a0758e2242d5bc6c84f9c39bc11a5af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/archive.php", "duplicate_line": 20, "correlation_key": "fp|3fb9d9203b5bbbe8c13ca477f1c8a8bc6a0758e2242d5bc6c84f9c39bc11a5af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/category.php"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56767, "scanner": "repobility-ai-code-hygiene", "fingerprint": "062266fe3390325dc31b0e4d035df40defaed9aeeed9b55b680bc00ca69647d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyeleven/archive.php", "duplicate_line": 22, "correlation_key": "fp|062266fe3390325dc31b0e4d035df40defaed9aeeed9b55b680bc00ca69647d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyeleven/author.php"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56766, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b1be52d772d429d6893a2c9bf3d0cebf13e2e4b2474ad758f7a4874c4d40b3e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/js/skip-link-focus-fix.js", "duplicate_line": 1, "correlation_key": "fp|b1be52d772d429d6893a2c9bf3d0cebf13e2e4b2474ad758f7a4874c4d40b3e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentytwenty/assets/js/skip-link-focus-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56765, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c97cf55e67828be17a33b6b27d6608a1144880da9b2ef770c5466c19ac86c3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/js/skip-link-focus-fix.js", "duplicate_line": 1, "correlation_key": "fp|3c97cf55e67828be17a33b6b27d6608a1144880da9b2ef770c5466c19ac86c3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentysixteen/js/skip-link-focus-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56764, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6553a503982acedd7d27d285ae13dfb00af860c337503f11946e2db0762c152c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/js/skip-link-focus-fix.js", "duplicate_line": 2, "correlation_key": "fp|6553a503982acedd7d27d285ae13dfb00af860c337503f11946e2db0762c152c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyseventeen/assets/js/skip-link-focus-fix.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56763, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0031569cef00aa8793f5cdf55bbe2675e0fd9fb566d666262b144f96b011fdba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "wp-content/themes/twentyfifteen/js/skip-link-focus-fix.js", "duplicate_line": 1, "correlation_key": "fp|0031569cef00aa8793f5cdf55bbe2675e0fd9fb566d666262b144f96b011fdba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentynineteen/js/skip-link-focus-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 56762, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cbae013fbca4c92e6ca12094ab528bd88820d0844f27aeb9d109d08e5cb50b3d", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|cbae013fbca4c92e6ca12094ab528bd88820d0844f27aeb9d109d08e5cb50b3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentytwenty/assets/js/skip-link-focus-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 56761, "scanner": "repobility-ai-code-hygiene", "fingerprint": "21cdbac048d76e912664d03ebed2da3862f570be2d27d19e16f7203961e828a1", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|21cdbac048d76e912664d03ebed2da3862f570be2d27d19e16f7203961e828a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentysixteen/js/skip-link-focus-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 56760, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da217b5bd995e0ab6087cb2a8b27a12eb2871cd295c22388cb752f2007c351e8", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|da217b5bd995e0ab6087cb2a8b27a12eb2871cd295c22388cb752f2007c351e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyseventeen/assets/js/skip-link-focus-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 56759, "scanner": "repobility-ai-code-hygiene", "fingerprint": "01df6faa15255caea1336bf31562872a5dc74d5eb11598ab6981c1f1c9d97288", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|01df6faa15255caea1336bf31562872a5dc74d5eb11598ab6981c1f1c9d97288"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentynineteen/js/skip-link-focus-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 56758, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf667011855b496bb8e701177f1344fd584c6906d981d95e5bb9472030ce6331", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|cf667011855b496bb8e701177f1344fd584c6906d981d95e5bb9472030ce6331"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentyfifteen/js/skip-link-focus-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 56728, "scanner": "repobility-threat-engine", "fingerprint": "bcabfad7271a9bebabadf9bfed874930cb441c4eedffab8e01dfed3a20038b23", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|124|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/wp-custom-header.js"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 56727, "scanner": "repobility-threat-engine", "fingerprint": "0410082695d8202e74187c351f2df7efbef718ddf14b6cac2ee9a21c18e92774", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|wp-includes/js/tw-sack.js|172|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/tw-sack.js"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 56726, "scanner": "repobility-threat-engine", "fingerprint": "4d6f67250bf753eaea47ac2f2e4d59d994f510088c0e5933159682cf5f75cb86", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = _", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|28|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/password-toggle.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 56710, "scanner": "repobility-threat-engine", "fingerprint": "f5aa70880e0388fbc9b585ef7575bb16ed66f4a6d0455ad27468edf86ebe1741", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"attachments[' + id + '][image-size]\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f5aa70880e0388fbc9b585ef7575bb16ed66f4a6d0455ad27468edf86ebe1741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/media-gallery.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 56709, "scanner": "repobility-threat-engine", "fingerprint": "72d4b2a0cb1c7533dc2cd9de45a81851d08d80258c0c663e44ede9ed71edfd73", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'#in-link-category-' + id + ', #in-popular-link_category-'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72d4b2a0cb1c7533dc2cd9de45a81851d08d80258c0c663e44ede9ed71edfd73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/link.js"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 56708, "scanner": "repobility-threat-engine", "fingerprint": "a395bd05e140d110e73499a5b228e70d72e5171905b7fe5b4c6a444c2080b5e3", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'/wp/v2/users/' + userId + '/application-passwords?_locale=user'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a395bd05e140d110e73499a5b228e70d72e5171905b7fe5b4c6a444c2080b5e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/application-passwords.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 56743, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 56739, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 56734, "scanner": "repobility-threat-engine", "fingerprint": "bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 56725, "scanner": "repobility-threat-engine", "fingerprint": "8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "aggregated_count": 1}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 56724, "scanner": "repobility-threat-engine", "fingerprint": "c9bba7fc0487d5d07ae7f915093022e76f47e555c0ec03d7fe6a147578542d28", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9bba7fc0487d5d07ae7f915093022e76f47e555c0ec03d7fe6a147578542d28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/tinymce/plugins/compat3x/plugin.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 56723, "scanner": "repobility-threat-engine", "fingerprint": "4aca5868cb8c8873ade57583706f34aa8063563137a756caaad8ea9c0e702ccf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4aca5868cb8c8873ade57583706f34aa8063563137a756caaad8ea9c0e702ccf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/mediaelement/mediaelement-migrate.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 56722, "scanner": "repobility-threat-engine", "fingerprint": "eb01f221ef63da4c484d3dcd1b315696131e0c98bc85e397c783876cb3eb0a4a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb01f221ef63da4c484d3dcd1b315696131e0c98bc85e397c783876cb3eb0a4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/password-strength-meter.js"}, "region": {"startLine": 63}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 56721, "scanner": "repobility-threat-engine", "fingerprint": "55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5"}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 56717, "scanner": "repobility-threat-engine", "fingerprint": "7065727c5535a23438a3a6b2b371c50a1e2511b43a18f8fdb355d5bed1365985", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7065727c5535a23438a3a6b2b371c50a1e2511b43a18f8fdb355d5bed1365985", "aggregated_count": 6}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 56716, "scanner": "repobility-threat-engine", "fingerprint": "b0c93833e89fb7afecf7bf2f7a2b79d0405bbc5937532e6c8981d0e431de0321", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0c93833e89fb7afecf7bf2f7a2b79d0405bbc5937532e6c8981d0e431de0321"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/privacy-tools.js"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 56715, "scanner": "repobility-threat-engine", "fingerprint": "54d01aa6e9e458642063391e0cfd7c2cce0b72192c4b82a355b45fdd6c96623b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54d01aa6e9e458642063391e0cfd7c2cce0b72192c4b82a355b45fdd6c96623b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/gallery.js"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 56714, "scanner": "repobility-threat-engine", "fingerprint": "415a78663deeb8e389a6a335bfb62bd202ed9ea948c3486ff9a0d842f555c2e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|415a78663deeb8e389a6a335bfb62bd202ed9ea948c3486ff9a0d842f555c2e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/auth-app.js"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 56711, "scanner": "repobility-threat-engine", "fingerprint": "210b9a03c31e13da90d22960eccce857cdcb6cc5e7b1743557068c7b664a66b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|210b9a03c31e13da90d22960eccce857cdcb6cc5e7b1743557068c7b664a66b1"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 56707, "scanner": "repobility-threat-engine", "fingerprint": "a6263748543b2bb647f5662e2a8d0fcd66e88e3acb30e956839b741190f702a6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a6263748543b2bb647f5662e2a8d0fcd66e88e3acb30e956839b741190f702a6", "aggregated_count": 16}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 56703, "scanner": "repobility-threat-engine", "fingerprint": "fea1d67425f6695416d0e7bff1d857a5fc402b593fa8d99a96384ad5f7d7d973", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fea1d67425f6695416d0e7bff1d857a5fc402b593fa8d99a96384ad5f7d7d973", "aggregated_count": 10}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 56702, "scanner": "repobility-threat-engine", "fingerprint": "042844ba614930c92520a7136e0c5b53f78fe9e571e6cb6434e8a0a73027808b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|042844ba614930c92520a7136e0c5b53f78fe9e571e6cb6434e8a0a73027808b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/includes/class-ftp-sockets.php"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 56701, "scanner": "repobility-threat-engine", "fingerprint": "b73ce52f29b47d780db8c02de2165740c4d9d3f998c2b77d29c2b0fff4f25725", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b73ce52f29b47d780db8c02de2165740c4d9d3f998c2b77d29c2b0fff4f25725"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/includes/class-ftp-pure.php"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 56700, "scanner": "repobility-threat-engine", "fingerprint": "2bf9d7d8e89ab00b907e3e0dcd621c90c0343c12e8d65ee3822257678ae070a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2bf9d7d8e89ab00b907e3e0dcd621c90c0343c12e8d65ee3822257678ae070a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/includes/class-file-upload-upgrader.php"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "properties": {"repobilityId": 56699, "scanner": "repobility-threat-engine", "fingerprint": "4214f82294ed201afaa0d2eeba03799fd4a9d9a6a2621664ce2043c2841edee4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 43 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4214f82294ed201afaa0d2eeba03799fd4a9d9a6a2621664ce2043c2841edee4", "aggregated_count": 43}}}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 56698, "scanner": "repobility-threat-engine", "fingerprint": "68094d11fdc91f098f4ab363aeda25250e82b2702069f6bdfcabf63003e323dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68094d11fdc91f098f4ab363aeda25250e82b2702069f6bdfcabf63003e323dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/contribute.php"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 56697, "scanner": "repobility-threat-engine", "fingerprint": "2cf9b1e65ebb7cc86a8ece9d46b5587f94ec38e84c02a235961064c9b642b213", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2cf9b1e65ebb7cc86a8ece9d46b5587f94ec38e84c02a235961064c9b642b213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/authorize-application.php"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 56696, "scanner": "repobility-threat-engine", "fingerprint": "e56e483c6db02d24e73c58f5811c137a747de408a689e09fd3ccb39f66faee8f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e56e483c6db02d24e73c58f5811c137a747de408a689e09fd3ccb39f66faee8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/async-upload.php"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 56695, "scanner": "repobility-threat-engine", "fingerprint": "493dc3a53ca5d2fba4e303735f4397dc53a8e472d328a3251e7d8e80b406b007", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|493dc3a53ca5d2fba4e303735f4397dc53a8e472d328a3251e7d8e80b406b007", "aggregated_count": 15}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 56694, "scanner": "repobility-threat-engine", "fingerprint": "80d5a628239f65b1d5889dad30edb7de3bc0730b818938f8abe68e7da51c8a80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|80d5a628239f65b1d5889dad30edb7de3bc0730b818938f8abe68e7da51c8a80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/includes/credits.php"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 56693, "scanner": "repobility-threat-engine", "fingerprint": "e48383b974ec5abd0ac5a1a793c27afd77292f95370466fca426005639a91be5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e48383b974ec5abd0ac5a1a793c27afd77292f95370466fca426005639a91be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/includes/class-wp-importer.php"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 56692, "scanner": "repobility-threat-engine", "fingerprint": "8d5919641923cd636e51b9063d737ef60784c68171b1c4a81bd25fcea5d8284e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d5919641923cd636e51b9063d737ef60784c68171b1c4a81bd25fcea5d8284e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-activate.php"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 267 more): Same pattern found in 267 additional files. Review if needed."}, "properties": {"repobilityId": 56691, "scanner": "repobility-threat-engine", "fingerprint": "1844fd52ba6bbac6ff6e993be9c7b1fc0358ca097941d02cac1a06bb2dbf5e72", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 267 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 267 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1844fd52ba6bbac6ff6e993be9c7b1fc0358ca097941d02cac1a06bb2dbf5e72"}}}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 56754, "scanner": "repobility-threat-engine", "fingerprint": "fbe9a3f7ed1f1926cdcf7154fdc406f0874aa1b8f4adab8f63149ee464548574", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fbe9a3f7ed1f1926cdcf7154fdc406f0874aa1b8f4adab8f63149ee464548574"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/wp-sanitize.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 56750, "scanner": "repobility-threat-engine", "fingerprint": "2b499fc4ab847e67cf700449423f3d6c66092a966deae3ee0c993fc41aa1d362", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(this.method, this.request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|wp-includes/js/tw-sack.js|136|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/tw-sack.js"}, "region": {"startLine": 136}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 56749, "scanner": "repobility-threat-engine", "fingerprint": "6390a7af0040ab1e2d08941aa8ed53af7ac5904d706f786e2d807041b13c5d63", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.update();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6390a7af0040ab1e2d08941aa8ed53af7ac5904d706f786e2d807041b13c5d63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/wp-pointer.js"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 56748, "scanner": "repobility-threat-engine", "fingerprint": "1bbb760d81fec8e367248bf8fd66c73b338c60d8d2241f3d9300992df550b773", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.model.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1bbb760d81fec8e367248bf8fd66c73b338c60d8d2241f3d9300992df550b773"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/customize-views.js"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 56747, "scanner": "repobility-threat-engine", "fingerprint": "6f4042ec3a87cb3ea64a8de9b09637cbd05336be78502275aa66342d1f0adb31", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Loader.messenger.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6f4042ec3a87cb3ea64a8de9b09637cbd05336be78502275aa66342d1f0adb31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/customize-loader.js"}, "region": {"startLine": 247}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 56742, "scanner": "repobility-threat-engine", "fingerprint": "43e0777e4853324300a664328137de5d954023cb26c7ce593367a1e36ad42f42", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec( text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43e0777e4853324300a664328137de5d954023cb26c7ce593367a1e36ad42f42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/shortcode.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 56741, "scanner": "repobility-threat-engine", "fingerprint": "ad2842b507955632cf5a727b4b8fafb0d6b3ea70d9ec215ae199753d2980adda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec( size", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad2842b507955632cf5a727b4b8fafb0d6b3ea70d9ec215ae199753d2980adda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/jquery/ui/effect-fold.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 56740, "scanner": "repobility-threat-engine", "fingerprint": "9cd9d61bb0dd4322fbc2672dc1ca56db4c06115d9d90987beb4990c39e20ae1e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec( hex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9cd9d61bb0dd4322fbc2672dc1ca56db4c06115d9d90987beb4990c39e20ae1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-content/themes/twentytwentyone/assets/js/customize-helpers.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 56733, "scanner": "repobility-threat-engine", "fingerprint": "00b71129ea99be1a086d427b910456c6adad2c415ed95ecbc7e32fd094d4e81f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(q", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00b71129ea99be1a086d427b910456c6adad2c415ed95ecbc7e32fd094d4e81f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/jquery/suggest.js"}, "region": {"startLine": 212}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 56732, "scanner": "repobility-threat-engine", "fingerprint": "c18846033ecf99edb625a609ae0527d20a69ad01c2b139d47f1a669e677b13e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp( separator", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c18846033ecf99edb625a609ae0527d20a69ad01c2b139d47f1a669e677b13e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/tags-suggest.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 56731, "scanner": "repobility-threat-engine", "fingerprint": "b762440e6eae70c8724b30d68f14f0f83285a8ae63a4ccfcff957815ab359b26", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp( tagDelimiter", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b762440e6eae70c8724b30d68f14f0f83285a8ae63a4ccfcff957815ab359b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/tags-box.js"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 56706, "scanner": "repobility-threat-engine", "fingerprint": "176029955c192d6c5ee49379d2f1a5b4ee01e225d46f6a1929a388f38c7d0e6b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|176029955c192d6c5ee49379d2f1a5b4ee01e225d46f6a1929a388f38c7d0e6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/SimplePie/src/Cache/Memcache.php"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 56705, "scanner": "repobility-threat-engine", "fingerprint": "e52f3fbe0c331a2b91575325fa957fa4a95051acd98a4893ab5ed4af3e9bf5e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e52f3fbe0c331a2b91575325fa957fa4a95051acd98a4893ab5ed4af3e9bf5e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/SimplePie/src/Author.php"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 56704, "scanner": "repobility-threat-engine", "fingerprint": "479ff58887dee9c4d9bb98c77c59a9d4330f8a254295d370c2a94208fb8ab911", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|479ff58887dee9c4d9bb98c77c59a9d4330f8a254295d370c2a94208fb8ab911"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/includes/import.php"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 56690, "scanner": "repobility-threat-engine", "fingerprint": "1d0611189d5f828125238b82354621b712880f9c45658c58cad7b574e887e103", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url( g", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d0611189d5f828125238b82354621b712880f9c45658c58cad7b574e887e103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/async-upload.php"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 56689, "scanner": "repobility-threat-engine", "fingerprint": "ded0ffd20f79e5c632169bdf5047d75ad730e68ff9e0a6b3d411035f5d38dd70", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url( _", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ded0ffd20f79e5c632169bdf5047d75ad730e68ff9e0a6b3d411035f5d38dd70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/admin-footer.php"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 56688, "scanner": "repobility-threat-engine", "fingerprint": "196b8c98b2a109be25082580b24124c36c1350c913dff66930fa4472e4ca72b4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url( n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|196b8c98b2a109be25082580b24124c36c1350c913dff66930fa4472e4ca72b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-activate.php"}, "region": {"startLine": 128}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 56686, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED123", "level": "error", "message": {"text": "[MINED123] Trojan Source bidi character (LRM) in source: Line 896 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"repobilityId": 56793, "scanner": "repobility-supply-chain", "fingerprint": "7ff15aef0b27c9b8783275aba2df15888a014fa43de07b279d60c3f8dcbdc521", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|token", "duplicate_count": 4, "duplicate_rule_ids": ["MINED123"], "duplicate_scanners": ["repobility-supply-chain"], "duplicate_fingerprints": ["171e77fd97b2ab590af38031fb9b06b0a6390ee553607fea3f861732de4d1c72", "2791227f1fb13f4689e63c4932f8c61eb6d6de7d32d1d1ab24c42af84093f0a2", "7ff15aef0b27c9b8783275aba2df15888a014fa43de07b279d60c3f8dcbdc521", "ccaefeee03d28c0e48387d6eb8f841ff316a8f3a083f10ab261e4e49eb6800f6", "d9f83048a04233dc44cb843400d577a9e02f4417caac2b09c767407de18f570d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/html-api/html5-named-character-references.php"}, "region": {"startLine": 896}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 56751, "scanner": "repobility-threat-engine", "fingerprint": "912bad825a7a6692796f3fc65733417a490dbcfe997b033db1650774e387b751", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|912bad825a7a6692796f3fc65733417a490dbcfe997b033db1650774e387b751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/tw-sack.js"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 56746, "scanner": "repobility-threat-engine", "fingerprint": "adb8906be00ab6fce706b26e9843c77022a2fae2e52658378c189c298bf868f4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|adb8906be00ab6fce706b26e9843c77022a2fae2e52658378c189c298bf868f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-includes/js/codemirror/fakejshint.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 56712, "scanner": "repobility-threat-engine", "fingerprint": "c03733dc6c9724825ad005741168d1bf40a1c998cb6bebfb3fdaae76845c9fb1", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "High entropy value (4.7 bits) \u2014 likely real secret | [R34 auto-suppress: framework-internal path]", "evidence": {"match": "password=' + encodeURIComponent( response.password );\n\n\t\t\t\twindow.location = url;\n\t\t\t} else {\n\t\t\t\tme", "reason": "High entropy value (4.7 bits) \u2014 likely real secret | [R34 auto-suppress: framework-internal path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "secret|wp-admin/js/auth-app.js|8|password + encodeuricomponent response.password window.location url else me"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wp-admin/js/auth-app.js"}, "region": {"startLine": 84}}}]}]}]}