{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `Werkzeug` has no version pin: Unpinned pip requirement means every fresh install may resol", "shortDescription": {"text": "[MINED124] requirements.txt: `Werkzeug` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible inst"}, "fullDescription": {"text": "Replace `Werkzeug` with `Werkzeug==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /mo"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 2.7% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 2.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC075", "name": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from", "shortDescription": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "fullDescription": {"text": "Add `HEALTHCHECK CMD curl -f http://localhost:PORT/health || exit 1`."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC069", "name": "[SEC069] Dockerfile: no USER directive (runs as root) (and 3 more): Same pattern found in 3 additional files. Review if ", "shortDescription": {"text": "[SEC069] Dockerfile: no USER directive (runs as root) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `RUN adduser -D app && USER app` before the CMD/ENTRYPOINT."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 12 more): Same pattern found in 12 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `pkg/fanal/analyzer/testdata/post-apps/jar/jackson-annotations-2.15.0-rc2.jar` committed in sourc", "shortDescription": {"text": "[MINED134] Binary file `pkg/fanal/analyzer/testdata/post-apps/jar/jackson-annotations-2.15.0-rc2.jar` committed in source repo: `pkg/fanal/analyzer/testdata/post-apps/jar/jackson-annotations-2.15.0-rc2.jar` is a .jar binary (75,551 bytes) c"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `sha256:4224eead35ea350b4b9d4ac67550e92efb9a50d3855cb3381469fe4c7e3f2053` not pinned by diges", "shortDescription": {"text": "[MINED118] Dockerfile FROM `sha256:4224eead35ea350b4b9d4ac67550e92efb9a50d3855cb3381469fe4c7e3f2053` not pinned by digest: `FROM sha256:4224eead35ea350b4b9d4ac67550e92efb9a50d3855cb3381469fe4c7e3f2053` resolves the tag at build time. The re"}, "fullDescription": {"text": "Replace with: `FROM sha256:4224eead35ea350b4b9d4ac67550e92efb9a50d3855cb3381469fe4c7e3f2053@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `golang.org/x/xerrors` \u2014 points to a LOCAL path: `replace golang.org/x/xerrors => ./xerrors` ", "shortDescription": {"text": "[MINED128] go.mod replaces `golang.org/x/xerrors` \u2014 points to a LOCAL path: `replace golang.org/x/xerrors => ./xerrors` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mo"}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._perl` used but never assigned in __init__: Method `generate` of class `OpenSSLConan` reads `self._perl", "shortDescription": {"text": "[MINED108] `self._perl` used but never assigned in __init__: Method `generate` of class `OpenSSLConan` reads `self._perl`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time t"}, "fullDescription": {"text": "Initialize `self._perl = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.TRIVY_WORKFLOW_TRIGGER_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow tri", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.TRIVY_WORKFLOW_TRIGGER_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRIVY_WORKFLOW_TRIGGER_APP_PRIVATE_KE"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/688"}, "properties": {"repository": "aquasecurity/trivy", "repoUrl": "https://github.com/aquasecurity/trivy", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `Werkzeug` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 54211, "scanner": "repobility-supply-chain", "fingerprint": "47e6a9282eed7c7e31fa6d4029f2f3f7071e71a0282347a7303e89b05cbd9f29", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47e6a9282eed7c7e31fa6d4029f2f3f7071e71a0282347a7303e89b05cbd9f29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/python/pip/testdata/happy/requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `MarkupSafe>2.0.0` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 54210, "scanner": "repobility-supply-chain", "fingerprint": "ef58e73b747c476073f32d078f2c84bd2259478899f1a967b52fed42090fcde2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef58e73b747c476073f32d078f2c84bd2259478899f1a967b52fed42090fcde2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/python/pip/testdata/happy/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `Jinja2<3.0.0` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 54209, "scanner": "repobility-supply-chain", "fingerprint": "9d984a2b0c68033e49a01f63689c718e8c2129c1812487f66d10116076e97d70", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d984a2b0c68033e49a01f63689c718e8c2129c1812487f66d10116076e97d70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/python/pip/testdata/happy/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `MarkupSafe>2.0.0` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 54199, "scanner": "repobility-supply-chain", "fingerprint": "be62c0645f9ef61aecd624261cf3a70b8ccc9d8cceac5c291bd6ef7e953c53be", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be62c0645f9ef61aecd624261cf3a70b8ccc9d8cceac5c291bd6ef7e953c53be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/testdata/fixtures/repo/pip/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /module."}, "properties": {"repobilityId": 54149, "scanner": "repobility-access-control", "fingerprint": "63ebcf15dfc63e4add56ca2bf7649b0690e5fded7367ceb1a2daad8d5ee53dbc", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/module", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|250|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/iac/scanners/terraform/parser/evaluator.go"}, "region": {"startLine": 250}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Content-Type."}, "properties": {"repobilityId": 54147, "scanner": "repobility-access-control", "fingerprint": "3f987f014d138f68b494a8b965bd98b31d3ba0622741ab694c85714669785118", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Content-Type", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/x/http/trace.go|191|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/x/http/trace.go"}, "region": {"startLine": 191}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Content-Type."}, "properties": {"repobilityId": 54145, "scanner": "repobility-access-control", "fingerprint": "738829ab810a4ab1bebe06252d7506ef69a44dd8b13f183c7b05ead7bd2c3f90", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Content-Type", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|rpc/cache/service.twirp.go|1180|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rpc/cache/service.twirp.go"}, "region": {"startLine": 1180}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Content-Type."}, "properties": {"repobilityId": 54144, "scanner": "repobility-access-control", "fingerprint": "649eff293e4c3a3c21927ac5eaf05b32b7337ca51db49bb0c1f5099c9d656172", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Content-Type", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|rpc/cache/service.twirp.go|1169|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rpc/cache/service.twirp.go"}, "region": {"startLine": 1169}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 2.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 54142, "scanner": "repobility-access-control", "fingerprint": "7613d309a865d2e1f4a5294a11e037ed80b24f1041785eb571ca354e02a79667", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 37, "correlation_key": "fp|7613d309a865d2e1f4a5294a11e037ed80b24f1041785eb571ca354e02a79667", "auth_visible_percent": 2.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 54140, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Chi"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54139, "scanner": "repobility-docker", "fingerprint": "7ebbebf6d3d5fafd3fa40d34d6d7752efa6c3477a5a653a29b312807be369cad", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7ebbebf6d3d5fafd3fa40d34d6d7752efa6c3477a5a653a29b312807be369cad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/artifact/local/testdata/misconfig/dockerfile/single-failure/src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 54138, "scanner": "repobility-docker", "fingerprint": "73b8e785894ece5868e43f4ecac628501b4a7f8c2853e36a185d25eb8f3a6ac3", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "ubuntu", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|73b8e785894ece5868e43f4ecac628501b4a7f8c2853e36a185d25eb8f3a6ac3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/artifact/local/testdata/misconfig/dockerfile/single-failure/src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54137, "scanner": "repobility-docker", "fingerprint": "086899850cf26c3a51da484ffa9785d848d505f4364ffd045755b3ad672a02f1", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nowhere", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|086899850cf26c3a51da484ffa9785d848d505f4364ffd045755b3ad672a02f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/artifact/local/testdata/misconfig/dockerfile/passed/src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 54136, "scanner": "repobility-docker", "fingerprint": "7502ea1eba5e8804525318c32f0a6e2f330ede0976e74947192216902a67ca99", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "nowhere", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7502ea1eba5e8804525318c32f0a6e2f330ede0976e74947192216902a67ca99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/artifact/local/testdata/misconfig/dockerfile/passed/src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54135, "scanner": "repobility-docker", "fingerprint": "8f7dcd10f4e345b9aad32f810eeb7c376164109163ddd23f93c68ccffcccd941", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8f7dcd10f4e345b9aad32f810eeb7c376164109163ddd23f93c68ccffcccd941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/artifact/local/testdata/misconfig/dockerfile/multiple-failures/src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 54052, "scanner": "repobility-docker", "fingerprint": "c64105ff2cdb8e4c03b66efd8b15e8de25d4dde50dd1dbe1783cd3e2443bf0de", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c64105ff2cdb8e4c03b66efd8b15e8de25d4dde50dd1dbe1783cd3e2443bf0de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/artifact/local/testdata/misconfig/dockerfile/multiple-failures/src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 54051, "scanner": "repobility-docker", "fingerprint": "197cff12eb3165caa13b62abf82e0fd050216e79f5b9363255ddc5cb6e5b8c86", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "ubuntu", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|197cff12eb3165caa13b62abf82e0fd050216e79f5b9363255ddc5cb6e5b8c86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/artifact/local/testdata/misconfig/dockerfile/multiple-failures/src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54050, "scanner": "repobility-docker", "fingerprint": "822a2e78ab7a5efb23410bca3f3d4a3f3f4350998a515f2eb8637ec03c7566ef", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|822a2e78ab7a5efb23410bca3f3d4a3f3f4350998a515f2eb8637ec03c7566ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/config/testdata/src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 54049, "scanner": "repobility-docker", "fingerprint": "4233c7f9b6a23535cd7226c6c941ad90b0f5e19ebe873e8b779b786e94d44d59", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "ubuntu", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4233c7f9b6a23535cd7226c6c941ad90b0f5e19ebe873e8b779b786e94d44d59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/config/testdata/src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54048, "scanner": "repobility-docker", "fingerprint": "2b8578dfd9c9306b37d5ab2851ede6d9ad4d6bda527487a5ffb563ffad19a471", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "sha256:4224eead35ea350b4b9d4ac67550e92efb9a50d3855cb3381469fe4c7e3f2053", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2b8578dfd9c9306b37d5ab2851ede6d9ad4d6bda527487a5ffb563ffad19a471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/buildinfo/testdata/dockerfile/Dockerfile.sad"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54047, "scanner": "repobility-docker", "fingerprint": "cbdad4e13f355f7528302d06842bb017df842b0684273240fece621933eae9fe", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "maven:3.6.3-jdk-11", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cbdad4e13f355f7528302d06842bb017df842b0684273240fece621933eae9fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/testdata/testimage/maven/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54046, "scanner": "repobility-docker", "fingerprint": "5a21d40ef7a8b6a4e5c0936df9960b201307367ad748796df3bf2ef31900ac1e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "gradle:6.8.1-jdk", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5a21d40ef7a8b6a4e5c0936df9960b201307367ad748796df3bf2ef31900ac1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/testdata/testimage/gradle/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54045, "scanner": "repobility-docker", "fingerprint": "e339bfc02e2922ef4eb77d14afb6c4cca6bc2a4eeb570f7abaf28fb122fafe59", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.13", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e339bfc02e2922ef4eb77d14afb6c4cca6bc2a4eeb570f7abaf28fb122fafe59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/testdata/fixtures/repo/dockerfile/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54044, "scanner": "repobility-docker", "fingerprint": "94b77a2e5fe7f79e4929760a50a8d6e7fc0d51af354ae627ad1f8965a00b91aa", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "squidfunk/mkdocs-material:9.5.44", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|94b77a2e5fe7f79e4929760a50a8d6e7fc0d51af354ae627ad1f8965a00b91aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/build/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54042, "scanner": "repobility-docker", "fingerprint": "6243b0cf7205a187a2175044cb7b0672db554b306ab0f9880635083bcaa87951", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.23.4", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6243b0cf7205a187a2175044cb7b0672db554b306ab0f9880635083bcaa87951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.canary"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54040, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.23.4", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 54039, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "pkg/rpc/server/testdata/newdb/trivy.db", "size_mb": 0.0}, {"path": "pkg/cache/testdata/broken-layer.db", "size_mb": 0.0}, {"path": "pkg/cache/testdata/broken-image.db", "size_mb": 0.0}, {"path": "pkg/cache/testdata/fanal.db", "size_mb": 0.0}, {"path": "pkg/cache/testdata/different-image-schema.db", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 54038, "scanner": "repobility-agent-runtime", "fingerprint": "6c4e76e9b842ac997356f8224bb3f05a0757daffe10dc926ff32b9bed55f987c", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6c4e76e9b842ac997356f8224bb3f05a0757daffe10dc926ff32b9bed55f987c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/tutorials/integrations/circleci.md"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 54037, "scanner": "repobility-agent-runtime", "fingerprint": "0696670f8c75edebbc0e6e92adbbe7cbc79ad6c064ef993ee2fdff5905d2ae29", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0696670f8c75edebbc0e6e92adbbe7cbc79ad6c064ef993ee2fdff5905d2ae29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/guide/advanced/container/embed-in-dockerfile.md"}, "region": {"startLine": 12}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 54036, "scanner": "repobility-agent-runtime", "fingerprint": "2b636e483751af6b066e8b8856dafcb64bdc4b993a687a33d8f335dc19f6c683", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2b636e483751af6b066e8b8856dafcb64bdc4b993a687a33d8f335dc19f6c683"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/Trivy.gitlab-ci.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 54016, "scanner": "repobility-threat-engine", "fingerprint": "26837c4095979cefc474250d957e14b8b6e60d49555fa17894c8f9c49a1e2548", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:              s.addr,\n\t\tHandler:           s.NewServeMux(ctx, serverCache, dbUpd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|26837c4095979cefc474250d957e14b8b6e60d49555fa17894c8f9c49a1e2548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/rpc/server/listen.go"}, "region": {"startLine": 67}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 54043, "scanner": "repobility-docker", "fingerprint": "9bb96af859d50e223ae6190332d5d33b6c7311ab51cb6c76961d3eeb6a210367", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9bb96af859d50e223ae6190332d5d33b6c7311ab51cb6c76961d3eeb6a210367"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/build/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 54041, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54035, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4440a55cd49bdfce4de7ddef14164d32f5bb66c5fd69ec73139e580738adad0a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/fanal/analyzer/os/redhatbase/alma.go", "duplicate_line": 1, "correlation_key": "fp|4440a55cd49bdfce4de7ddef14164d32f5bb66c5fd69ec73139e580738adad0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/os/redhatbase/rocky.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54034, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a97686779d524dd3c731adffd1eb1e239d2b19c3e01d350b00669c6318b129b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/fanal/analyzer/os/redhatbase/alma.go", "duplicate_line": 1, "correlation_key": "fp|7a97686779d524dd3c731adffd1eb1e239d2b19c3e01d350b00669c6318b129b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/os/redhatbase/oracle.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54033, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c4e5b2e230b791d6b380fc6341d3f2660f3b9b247e0be413332637c05f1fc5d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/fanal/analyzer/os/redhatbase/alma.go", "duplicate_line": 1, "correlation_key": "fp|6c4e5b2e230b791d6b380fc6341d3f2660f3b9b247e0be413332637c05f1fc5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/os/redhatbase/fedora.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54032, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9fc7089d597c444548e8d739412cf44a042c90f0bf78c65467bf2556eceac627", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/fanal/analyzer/os/redhatbase/alma.go", "duplicate_line": 1, "correlation_key": "fp|9fc7089d597c444548e8d739412cf44a042c90f0bf78c65467bf2556eceac627"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/os/redhatbase/centos.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54031, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58f23b1245bd4154a1909b457096340d8ee3fdcff3dee66447a183a8375808c1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/dependency/parser/java/pom/pom.go", "duplicate_line": 231, "correlation_key": "fp|58f23b1245bd4154a1909b457096340d8ee3fdcff3dee66447a183a8375808c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/java/gradle/pom.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54030, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4049370ab3129ae08c61092b4aad69f8a4069cebacc1d56d7b2717c450c2db4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/fanal/analyzer/language/dart/pub/pubspec.go", "duplicate_line": 68, "correlation_key": "fp|d4049370ab3129ae08c61092b4aad69f8a4069cebacc1d56d7b2717c450c2db4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/java/gradle/lockfile.go"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54029, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d1a3308990f9c2b7d47539b65a5a2bf97aac1840091f74b709b1d076c102736", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir/.conan/data/zlib/1.2.13/_/_/export/conanfile.py", "duplicate_line": 1, "correlation_key": "fp|7d1a3308990f9c2b7d47539b65a5a2bf97aac1840091f74b709b1d076c102736"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/zlib41bd3946e7341/e/conanfile.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54028, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99821ac219c92084e8769b46128202a7456820ef9d28e815f7acd5adc6e299cc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir/.conan/data/openssl/3.0.5/_/_/export/conanfile.py", "duplicate_line": 7, "correlation_key": "fp|99821ac219c92084e8769b46128202a7456820ef9d28e815f7acd5adc6e299cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54027, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e055141b82f4b92a9410f759cbe57bebf89df849a0750637e32643f7ca36315b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/chainguard/chainguard.go", "duplicate_line": 40, "correlation_key": "fp|e055141b82f4b92a9410f759cbe57bebf89df849a0750637e32643f7ca36315b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/wolfi/wolfi.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54026, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f54f29471fc5e986e1fb5f0b3f0f41dd93ea762f8158265301eb47f0a19313e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/minimos/minimos.go", "duplicate_line": 35, "correlation_key": "fp|9f54f29471fc5e986e1fb5f0b3f0f41dd93ea762f8158265301eb47f0a19313e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/wolfi/wolfi.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54025, "scanner": "repobility-ai-code-hygiene", "fingerprint": "707b4ddd597dfc228b5fabbd62129cbbdb6214f8b8577e00241d185203c3cd49", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/oracle/oracle.go", "duplicate_line": 54, "correlation_key": "fp|707b4ddd597dfc228b5fabbd62129cbbdb6214f8b8577e00241d185203c3cd49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/suse/suse.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54024, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1863e10bf902f5b3cfccf44778cdf425d7a1bd3a577c1f54bfe2fa746f5b6657", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/photon/photon.go", "duplicate_line": 43, "correlation_key": "fp|1863e10bf902f5b3cfccf44778cdf425d7a1bd3a577c1f54bfe2fa746f5b6657"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/suse/suse.go"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54023, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a18f6b42f1e8c46d3fcf05393b22b9c1af3900641d48e2262f8a82ec5650fcb1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/rootio/rootio.go", "duplicate_line": 66, "correlation_key": "fp|a18f6b42f1e8c46d3fcf05393b22b9c1af3900641d48e2262f8a82ec5650fcb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/seal/seal.go"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54022, "scanner": "repobility-ai-code-hygiene", "fingerprint": "352a6df34e4456dc3f85fcaa8d4a85afc054006726123f2bba995a14e993ad15", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/alma/alma.go", "duplicate_line": 49, "correlation_key": "fp|352a6df34e4456dc3f85fcaa8d4a85afc054006726123f2bba995a14e993ad15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/rocky/rocky.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54021, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a409e8824c560c38e4dcd05d06c3f67df768aed6ccb2bdf42957d38b376bea5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/alma/alma.go", "duplicate_line": 78, "correlation_key": "fp|0a409e8824c560c38e4dcd05d06c3f67df768aed6ccb2bdf42957d38b376bea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/redhat/redhat.go"}, "region": {"startLine": 143}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54020, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3170147e841bf28af0dbecd4d46fed0e2397e3cf7dd1d331eecb957247fa842", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/oracle/oracle.go", "duplicate_line": 54, "correlation_key": "fp|d3170147e841bf28af0dbecd4d46fed0e2397e3cf7dd1d331eecb957247fa842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/photon/photon.go"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54019, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dc6565f1e7ecc18f4d0fe8fb635a19aedf8105ea69e42ced43c23bdf9826ba7d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/chainguard/chainguard.go", "duplicate_line": 40, "correlation_key": "fp|dc6565f1e7ecc18f4d0fe8fb635a19aedf8105ea69e42ced43c23bdf9826ba7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/minimos/minimos.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54018, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5582e4fc02b68d243d0391018a8ceb650a63612e328398fc99edb9de3bd5c595", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/detector/ospkg/bottlerocket/bottlerocket.go", "duplicate_line": 2, "correlation_key": "fp|5582e4fc02b68d243d0391018a8ceb650a63612e328398fc99edb9de3bd5c595"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/detector/ospkg/coreos/coreos.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54017, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c9cf3d63c3daaaadc2b2c91f228bfa41a26083abeac881af38fba92c8685ed31", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/dependency/parser/julia/manifest/naive_pkg_parser.go", "duplicate_line": 13, "correlation_key": "fp|c9cf3d63c3daaaadc2b2c91f228bfa41a26083abeac881af38fba92c8685ed31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/rust/cargo/naive_pkg_parser.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 54004, "scanner": "repobility-threat-engine", "fingerprint": "3b5310f73ec2646302cffba32818ab82ee27d3811b9ca859e508b23e618f36b0", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"regexp\"\n\t\"strings\"\n\n\tv1 \"github.com/google", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b5310f73ec2646302cffba32818ab82ee27d3811b9ca859e508b23e618f36b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 54003, "scanner": "repobility-threat-engine", "fingerprint": "d74b95e1334ffd7e345bec9a90ba107c3ac915d69620f8cb9b4c2e5db32bc519", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/aquasecurity/trivy/pkg/", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d74b95e1334ffd7e345bec9a90ba107c3ac915d69620f8cb9b4c2e5db32bc519"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/config/dockerfile/docker.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 54002, "scanner": "repobility-threat-engine", "fingerprint": "d784f7aefac9b1a2be1ff45badffa034acfde52a7d7d7d58921c62a3bbeb85dc", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package buildinfo\n\nimport (\n\t\"context\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/moby/buildkit", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d784f7aefac9b1a2be1ff45badffa034acfde52a7d7d7d58921c62a3bbeb85dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/buildinfo/dockerfile.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 53986, "scanner": "repobility-threat-engine", "fingerprint": "16019f3bbf044ca6a61dfde4d2163e34cde3e20bd77d521189d0c622db2f7ade", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = d.InputPos(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16019f3bbf044ca6a61dfde4d2163e34cde3e20bd77d521189d0c622db2f7ade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/pom/pom.go"}, "region": {"startLine": 343}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 53985, "scanner": "repobility-threat-engine", "fingerprint": "8cad52b21f65ea85ff28d8c61c724e20c91717a64dd318ed9bfc9c05d459fd07", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = strings.Cut(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8cad52b21f65ea85ff28d8c61c724e20c91717a64dd318ed9bfc9c05d459fd07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/golang/binary/parse.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 53984, "scanner": "repobility-threat-engine", "fingerprint": "311227227f17bb1cd1db0a902ad18faddcc5ec6b3d2803f64d75d22c5b31030f", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = cache.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|311227227f17bb1cd1db0a902ad18faddcc5ec6b3d2803f64d75d22c5b31030f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/cache/client.go"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 54014, "scanner": "repobility-threat-engine", "fingerprint": "0c47fd67120bb31fdf3938e3d3e9974384b2bb20fc03db1731087890a8a838be", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Logger.Debug(\"Found a token for the registry\", log.String(\"hostname\", hostname)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|logger.debug found a token for the registry log.string hostname hostname"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/iac/scanners/terraform/parser/resolvers/registry.go"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 54010, "scanner": "repobility-threat-engine", "fingerprint": "f22f328dcdd6fc1923e13cfe844b0942b9b759801f6bbbe622b89e53631380a6", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".Eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|pkg/result/filter.go|316|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/result/filter.go"}, "region": {"startLine": 316}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 54009, "scanner": "repobility-threat-engine", "fingerprint": "18477c0af8070ade1775eb2dd41cc039ba4dd0abf46ecba0848b7007cda2fd17", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".Eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|pkg/iac/rego/scanner.go|143|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/iac/rego/scanner.go"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC075", "level": "none", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 54005, "scanner": "repobility-threat-engine", "fingerprint": "9f299a0c65aa824ebd0054f2399e0f8057367fc3abe385ba69e3540364d475da", "category": "docker", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9f299a0c65aa824ebd0054f2399e0f8057367fc3abe385ba69e3540364d475da"}}}, {"ruleId": "SEC069", "level": "none", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 54001, "scanner": "repobility-threat-engine", "fingerprint": "bc4e95c5b974ac9633ade92d255d23138018b8b027d31de93c0c03f27d8cb846", "category": "docker", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bc4e95c5b974ac9633ade92d255d23138018b8b027d31de93c0c03f27d8cb846"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 53997, "scanner": "repobility-threat-engine", "fingerprint": "fd83eb7cb10602c44396d64efe9c65dbef21a0798574f64d6bc8a3f070631a41", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fd83eb7cb10602c44396d64efe9c65dbef21a0798574f64d6bc8a3f070631a41", "aggregated_count": 9}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 53993, "scanner": "repobility-threat-engine", "fingerprint": "2dd7741d048fa4125233f4d38169b7b6bfcf254bfbcc6b391ac104e43dd71249", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2dd7741d048fa4125233f4d38169b7b6bfcf254bfbcc6b391ac104e43dd71249"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "properties": {"repobilityId": 53987, "scanner": "repobility-threat-engine", "fingerprint": "dbea112cd8e7e367f2ebd85948772b73d4bdbe7f7927e4c2fedd087469b34e3b", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dbea112cd8e7e367f2ebd85948772b73d4bdbe7f7927e4c2fedd087469b34e3b"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 53983, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 53982, "scanner": "repobility-threat-engine", "fingerprint": "aac2955048808dfd0070594a5c0232033c005139b1d2ad8f7f1ec2d0afc66aa1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aac2955048808dfd0070594a5c0232033c005139b1d2ad8f7f1ec2d0afc66aa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/sbom/sbom.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 53981, "scanner": "repobility-threat-engine", "fingerprint": "3945a0fcd907d6740d98b887e9277502324e7f0540d2e06f923000731f740d29", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3945a0fcd907d6740d98b887e9277502324e7f0540d2e06f923000731f740d29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/image/daemon/podman.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 53980, "scanner": "repobility-threat-engine", "fingerprint": "da6629a21d97de503958fdc8d6a9576b5f33f5aadc8c84e9d8f137d98a165bf5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da6629a21d97de503958fdc8d6a9576b5f33f5aadc8c84e9d8f137d98a165bf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testutil/localstack.go"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 53979, "scanner": "repobility-threat-engine", "fingerprint": "5c52357a69401c9774166fe17796ef00b9228c4db757bee258e4ec5a5f319775", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5c52357a69401c9774166fe17796ef00b9228c4db757bee258e4ec5a5f319775", "aggregated_count": 5}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 53978, "scanner": "repobility-threat-engine", "fingerprint": "b06bd749d07b7dff21627701f292f10d7452dfbb6c14ae1120fd18d9673c8592", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b06bd749d07b7dff21627701f292f10d7452dfbb6c14ae1120fd18d9673c8592"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/iac/rego/convert/slice.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 53977, "scanner": "repobility-threat-engine", "fingerprint": "5d008c657d5b41d86a04b64ca97117fa53e5236d5784ddc31cc4116174b3e061", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d008c657d5b41d86a04b64ca97117fa53e5236d5784ddc31cc4116174b3e061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misc/eol/main.go"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 53976, "scanner": "repobility-threat-engine", "fingerprint": "46dfe8916d650d4f9c85c1fd0ead10e3230275ee40310eff1421a348c16a1ba6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46dfe8916d650d4f9c85c1fd0ead10e3230275ee40310eff1421a348c16a1ba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testutil/image.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 53975, "scanner": "repobility-threat-engine", "fingerprint": "4b6d8eee8856ae8cfc81502c27b15ed14dd19ef02fea0b0ed9c59fe7c378cead", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b6d8eee8856ae8cfc81502c27b15ed14dd19ef02fea0b0ed9c59fe7c378cead", "aggregated_count": 7}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 53971, "scanner": "repobility-threat-engine", "fingerprint": "6073816a432243fd44bb98cecf3f26daa189aaf43986375efb653956fefe832a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6073816a432243fd44bb98cecf3f26daa189aaf43986375efb653956fefe832a", "aggregated_count": 5}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 53970, "scanner": "repobility-threat-engine", "fingerprint": "c913d03a4c22ce0cbb4953a9dfbe358c8708d1004956c0e451a30301360a90c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c913d03a4c22ce0cbb4953a9dfbe358c8708d1004956c0e451a30301360a90c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/iac/rego/load.go"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 53969, "scanner": "repobility-threat-engine", "fingerprint": "517de6648a08da727eddfca353b10ce5151292d16d435c17c93d1282e296fbdd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|517de6648a08da727eddfca353b10ce5151292d16d435c17c93d1282e296fbdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "magefiles/spdx.go"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 53968, "scanner": "repobility-threat-engine", "fingerprint": "15a05d6f9b2cbf7780b9bf1886eec6f9628e7b8c0945dabcbfd811d91a7967ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15a05d6f9b2cbf7780b9bf1886eec6f9628e7b8c0945dabcbfd811d91a7967ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/trivy/main.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 53967, "scanner": "repobility-threat-engine", "fingerprint": "e5363f7f9b9e7bdce52bc006991b90967843bc19b76a4ce120320eded4e96dd9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e5363f7f9b9e7bdce52bc006991b90967843bc19b76a4ce120320eded4e96dd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/trivy-triage/helpers.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `pkg/fanal/analyzer/testdata/post-apps/jar/jackson-annotations-2.15.0-rc2.jar` committed in source repo: `pkg/fanal/analyzer/testdata/post-apps/jar/jackson-annotations-2.15.0-rc2.jar` is a .jar binary (75,551 bytes) committed to a repo that otherwise has 1739 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 54221, "scanner": "repobility-supply-chain", "fingerprint": "b7e19acdbcfd83328d574b1e12efe0c2a25e1cd3acf893703bfc4a4d28b29e30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b7e19acdbcfd83328d574b1e12efe0c2a25e1cd3acf893703bfc4a4d28b29e30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/testdata/post-apps/jar/jackson-annotations-2.15.0-rc2.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `pkg/fanal/analyzer/language/java/jar/testdata/test.jar` committed in source repo: `pkg/fanal/analyzer/language/java/jar/testdata/test.jar` is a .jar binary (277,275 bytes) committed to a repo that otherwise has 1739 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 54220, "scanner": "repobility-supply-chain", "fingerprint": "8c57a7357609c48c465dc81e4356103002b24eebc5b939c86b991d6f836d2bf6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c57a7357609c48c465dc81e4356103002b24eebc5b939c86b991d6f836d2bf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/java/jar/testdata/test.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/nested.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/nested.jar` is a .jar binary (1,483 bytes) committed to a repo that otherwise has 1739 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 54219, "scanner": "repobility-supply-chain", "fingerprint": "99a1fe0d8eef207449f1baa3bf26050484a1d237cc492487b90eac696789813b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99a1fe0d8eef207449f1baa3bf26050484a1d237cc492487b90eac696789813b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/testdata/nested.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/test.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/test.jar` is a .jar binary (1,105 bytes) committed to a repo that otherwise has 1739 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 54218, "scanner": "repobility-supply-chain", "fingerprint": "18c50fb7ef5eaa928e73ad13de7da044b148362ab4a03de75075442b6b5671d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18c50fb7ef5eaa928e73ad13de7da044b148362ab4a03de75075442b6b5671d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/testdata/test.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/heuristic-1.0.0-SNAPSHOT.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/heuristic-1.0.0-SNAPSHOT.jar` is a .jar binary (358 bytes) committed to a repo that otherwise has 1739 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 54217, "scanner": "repobility-supply-chain", "fingerprint": "d1d19009988616c0a8c56a650d52e3a7e5c8d28112893a66b8b17613b0be3751", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1d19009988616c0a8c56a650d52e3a7e5c8d28112893a66b8b17613b0be3751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/testdata/heuristic-1.0.0-SNAPSHOT.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/io.quarkus.gizmo.gizmo-1.1.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/io.quarkus.gizmo.gizmo-1.1.jar` is a .jar binary (884,288 bytes) committed to a repo that otherwise has 1739 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 54216, "scanner": "repobility-supply-chain", "fingerprint": "16006d4cefecc665327dfaa0bde3ab4888651f6caa296a95a46007af36bcc69f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16006d4cefecc665327dfaa0bde3ab4888651f6caa296a95a46007af36bcc69f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/testdata/io.quarkus.gizmo.gizmo-1.1.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/hadoop-shaded-guava-1.1.0-SNAPSHOT.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/hadoop-shaded-guava-1.1.0-SNAPSHOT.jar` is a .jar binary (18,264 bytes) committed to a repo that otherwise has 1739 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 54215, "scanner": "repobility-supply-chain", "fingerprint": "4ab2a28870e110132b153cc3dfbd827e51023843add4ea88412f430c6d0ade05", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ab2a28870e110132b153cc3dfbd827e51023843add4ea88412f430c6d0ade05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/testdata/hadoop-shaded-guava-1.1.0-SNAPSHOT.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `pkg/dependency/parser/golang/binary/testdata/test.exe` committed in source repo: `pkg/dependency/parser/golang/binary/testdata/test.exe` is a .exe binary (2,708,480 bytes) committed to a repo that otherwise has 1739 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 54214, "scanner": "repobility-supply-chain", "fingerprint": "026c4c7a48af0e7673fecb96eb77522f57246467ce5c03d66efa5f1c4661b0fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|026c4c7a48af0e7673fecb96eb77522f57246467ce5c03d66efa5f1c4661b0fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/golang/binary/testdata/test.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `pkg/dependency/parser/rust/binary/testdata/test.exe` committed in source repo: `pkg/dependency/parser/rust/binary/testdata/test.exe` is a .exe binary (1,394,632 bytes) committed to a repo that otherwise has 1739 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 54213, "scanner": "repobility-supply-chain", "fingerprint": "54a5297459a054cb0bd317bcbcd22008181cf0a2a4ce186334be303325a29a3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54a5297459a054cb0bd317bcbcd22008181cf0a2a4ce186334be303325a29a3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/rust/binary/testdata/test.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `sha256:4224eead35ea350b4b9d4ac67550e92efb9a50d3855cb3381469fe4c7e3f2053` not pinned by digest: `FROM sha256:4224eead35ea350b4b9d4ac67550e92efb9a50d3855cb3381469fe4c7e3f2053` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 54212, "scanner": "repobility-supply-chain", "fingerprint": "e248a73f8675dad09c73bce95142694823faf349d1b2472191eecceed3041b2c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e248a73f8675dad09c73bce95142694823faf349d1b2472191eecceed3041b2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/buildinfo/testdata/dockerfile/Dockerfile.sad"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gradle:6.8.1-jdk` not pinned by digest: `FROM gradle:6.8.1-jdk` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 54208, "scanner": "repobility-supply-chain", "fingerprint": "75553a1b00d14bcbf0238d88cf7187c14287ba3a7ac201775f4a15edd0925699", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75553a1b00d14bcbf0238d88cf7187c14287ba3a7ac201775f4a15edd0925699"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/testdata/testimage/gradle/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `maven:3.6.3-jdk-11` not pinned by digest: `FROM maven:3.6.3-jdk-11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 54207, "scanner": "repobility-supply-chain", "fingerprint": "ac66d90c620d44d8d2a49d1d4991748a1bf6a452db55ee4d99b5166603c0034b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac66d90c620d44d8d2a49d1d4991748a1bf6a452db55ee4d99b5166603c0034b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/testdata/testimage/maven/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `golang.org/x/xerrors` \u2014 points to a LOCAL path: `replace golang.org/x/xerrors => ./xerrors` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 54206, "scanner": "repobility-supply-chain", "fingerprint": "d0a4ea1cfca9bfc91538405f82ded7a7bfbfc1670cda7b30e99c087586ec5012", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0a4ea1cfca9bfc91538405f82ded7a7bfbfc1670cda7b30e99c087586ec5012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path-and-version/go.mod"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `golang.org/x/xerrors` \u2014 points to a LOCAL path: `replace golang.org/x/xerrors => ./xerrors` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 54205, "scanner": "repobility-supply-chain", "fingerprint": "02d43d4549035ba8db8b479df04790a900d5803a0c8c6d46560e3a159b4ca3dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02d43d4549035ba8db8b479df04790a900d5803a0c8c6d46560e3a159b4ca3dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path/go.mod"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `golang.org/x/xerrors` \u2014 points to a LOCAL path: `replace golang.org/x/xerrors => ./xerrors` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 54204, "scanner": "repobility-supply-chain", "fingerprint": "edd7192a5b07aecb2e2ef1e4a097579b148e9bcdafd8c4db7a5709dbcceab9ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edd7192a5b07aecb2e2ef1e4a097579b148e9bcdafd8c4db7a5709dbcceab9ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path-and-version-mismatch/go.mod"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.13` not pinned by digest: `FROM alpine:3.13` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 54201, "scanner": "repobility-supply-chain", "fingerprint": "7b62b659b12cb49111107b5ec2813b31cfae983083346d4545b425fa5586c0a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b62b659b12cb49111107b5ec2813b31cfae983083346d4545b425fa5586c0a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/testdata/fixtures/repo/custom-policy/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.13` not pinned by digest: `FROM alpine:3.13` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 54200, "scanner": "repobility-supply-chain", "fingerprint": "57c4b512c81e41c4a31daafdda6264ce37ed6be9099a073e628520ef542c448f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57c4b512c81e41c4a31daafdda6264ce37ed6be9099a073e628520ef542c448f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/testdata/fixtures/repo/dockerfile/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23.4` not pinned by digest: `FROM alpine:3.23.4` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 54198, "scanner": "repobility-supply-chain", "fingerprint": "b79aee471fed2bf502904ec5ce70cae3c78b0cb0798ea9a839d1946662a03566", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b79aee471fed2bf502904ec5ce70cae3c78b0cb0798ea9a839d1946662a03566"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.canary"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23.4` not pinned by digest: `FROM alpine:3.23.4` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 54197, "scanner": "repobility-supply-chain", "fingerprint": "b2d4d670a83e28990d8a3f57e3aae767f422b98314be39b1944e6196ceb255d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2d4d670a83e28990d8a3f57e3aae767f422b98314be39b1944e6196ceb255d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._perl` used but never assigned in __init__: Method `generate` of class `OpenSSLConan` reads `self._perl`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54196, "scanner": "repobility-ast-engine", "fingerprint": "472c95252211d4affb005943e4e0894570512063ec9b2969d6ba8981857baf81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|472c95252211d4affb005943e4e0894570512063ec9b2969d6ba8981857baf81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 408}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.dependencies` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self.dependencies`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54195, "scanner": "repobility-ast-engine", "fingerprint": "a36b2f2e548de4c397162c87ba65db9b43e0ae379b65a1f3f3da20099419db76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a36b2f2e548de4c397162c87ba65db9b43e0ae379b65a1f3f3da20099419db76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.output` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self.output`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54194, "scanner": "repobility-ast-engine", "fingerprint": "f1f064bce78c660f5f8ce7b8bce3f7047e5e31a7dd9a80b0fff19076319503ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1f064bce78c660f5f8ce7b8bce3f7047e5e31a7dd9a80b0fff19076319503ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.dependencies` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self.dependencies`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54193, "scanner": "repobility-ast-engine", "fingerprint": "20ff199af7adacc81868017bb559717a154c47275a80db859a967154ff010469", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20ff199af7adacc81868017bb559717a154c47275a80db859a967154ff010469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 389}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._settings_build` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self._settings_build`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54192, "scanner": "repobility-ast-engine", "fingerprint": "a1f171a64d1751097da3a5885a7e22c3ab3e4f1bde185a09e49c65fd39c37c42", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a1f171a64d1751097da3a5885a7e22c3ab3e4f1bde185a09e49c65fd39c37c42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 384}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._perl` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self._perl`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54191, "scanner": "repobility-ast-engine", "fingerprint": "fe3e5a9e7b5b62098912cd01bf6b4233131f23cb18bb65c8e8b6512300598b3f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe3e5a9e7b5b62098912cd01bf6b4233131f23cb18bb65c8e8b6512300598b3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 353}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._target` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self._target`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54190, "scanner": "repobility-ast-engine", "fingerprint": "2706cff0de05fa12569065791394a57eed3dd1fa191347e439a62a89cd4a5b4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2706cff0de05fa12569065791394a57eed3dd1fa191347e439a62a89cd4a5b4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_default_openssl_dir` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self._get_default_openssl_dir`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54189, "scanner": "repobility-ast-engine", "fingerprint": "6cf3d4fc0aae99d7e1afaa22b4e59b97d6e1f8fa1b0de1115cb21c672c7fabeb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6cf3d4fc0aae99d7e1afaa22b4e59b97d6e1f8fa1b0de1115cb21c672c7fabeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.win_bash` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self.win_bash`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54188, "scanner": "repobility-ast-engine", "fingerprint": "cea1ca36fe7f305d1bf599ae25dd4c1605d6146f79ac0b13b86719bdd688bfb8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cea1ca36fe7f305d1bf599ae25dd4c1605d6146f79ac0b13b86719bdd688bfb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.package_folder` used but never assigned in __init__: Method `_get_default_openssl_dir` of class `OpenSSLConan` reads `self.package_folder`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54187, "scanner": "repobility-ast-engine", "fingerprint": "6aebda2dc0356dfa839092b9fd5ac75e01caf4061509168b61b1c14e95122fb8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6aebda2dc0356dfa839092b9fd5ac75e01caf4061509168b61b1c14e95122fb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 339}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._targets` used but never assigned in __init__: Method `_ancestor_target` of class `OpenSSLConan` reads `self._targets`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54186, "scanner": "repobility-ast-engine", "fingerprint": "ab94208c98e3b822a9162febab2404b5d98ff122d48fff42fd5fbc1e8943ce8c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab94208c98e3b822a9162febab2404b5d98ff122d48fff42fd5fbc1e8943ce8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 327}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_mingw` used but never assigned in __init__: Method `_target` of class `OpenSSLConan` reads `self._is_mingw`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54179, "scanner": "repobility-ast-engine", "fingerprint": "e8fbdaf8125b7e4fd2c2efdf9c723b6cdef581ee3f220650d20b9266e391923e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e8fbdaf8125b7e4fd2c2efdf9c723b6cdef581ee3f220650d20b9266e391923e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._use_nmake` used but never assigned in __init__: Method `_target` of class `OpenSSLConan` reads `self._use_nmake`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54177, "scanner": "repobility-ast-engine", "fingerprint": "a7b3fcaebc9a320bed98fc0e8d703f3bf9d738cdb536b6269f3518281ec15de0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7b3fcaebc9a320bed98fc0e8d703f3bf9d738cdb536b6269f3518281ec15de0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.conan_data` used but never assigned in __init__: Method `source` of class `OpenSSLConan` reads `self.conan_data`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54175, "scanner": "repobility-ast-engine", "fingerprint": "577009db44405c04d1c797eae09c76b79df5233f780969dcacbcf68c126e8e45", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|577009db44405c04d1c797eae09c76b79df5233f780969dcacbcf68c126e8e45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.version` used but never assigned in __init__: Method `source` of class `OpenSSLConan` reads `self.version`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54173, "scanner": "repobility-ast-engine", "fingerprint": "3fd17993ecad102d8b0d7b62d4ccc06947918e9f5b8b00f72c6264b8f43bd031", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3fd17993ecad102d8b0d7b62d4ccc06947918e9f5b8b00f72c6264b8f43bd031"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.source_folder` used but never assigned in __init__: Method `source` of class `OpenSSLConan` reads `self.source_folder`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54171, "scanner": "repobility-ast-engine", "fingerprint": "3e088dd3dc02fb5c1dc6e2b9acb768de2598b43670fdec0d0c070f5e28b590b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3e088dd3dc02fb5c1dc6e2b9acb768de2598b43670fdec0d0c070f5e28b590b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_clangcl` used but never assigned in __init__: Method `_use_nmake` of class `OpenSSLConan` reads `self._is_clangcl`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54168, "scanner": "repobility-ast-engine", "fingerprint": "cac68a851f110b1537a370730bad282a69aa165f3128642324bf2386f292620e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cac68a851f110b1537a370730bad282a69aa165f3128642324bf2386f292620e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.conf` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.conf`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54166, "scanner": "repobility-ast-engine", "fingerprint": "16a2546055a6bb8d753e5da2c88845aaa71092aae93a1c0db909921b308c481b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16a2546055a6bb8d753e5da2c88845aaa71092aae93a1c0db909921b308c481b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.tool_requires` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.tool_requires`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54163, "scanner": "repobility-ast-engine", "fingerprint": "7698bea8e47537b4fef5b136a65a9ccfc5af9ef7c42b37322d409a2dae361dee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7698bea8e47537b4fef5b136a65a9ccfc5af9ef7c42b37322d409a2dae361dee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.tool_requires` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.tool_requires`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54161, "scanner": "repobility-ast-engine", "fingerprint": "0c714e94e1aed24aad336fbedb4c6ef4e6d6ae8485b0773870ced073fbb14670", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c714e94e1aed24aad336fbedb4c6ef4e6d6ae8485b0773870ced073fbb14670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.tool_requires` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.tool_requires`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54159, "scanner": "repobility-ast-engine", "fingerprint": "7290bd497cd2270018c1ad9985958dc8e6fd43cafdface2f4795144d65e1d49a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7290bd497cd2270018c1ad9985958dc8e6fd43cafdface2f4795144d65e1d49a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.win_bash` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.win_bash`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54157, "scanner": "repobility-ast-engine", "fingerprint": "9d797b93e7053c59b4932f712df994e06a3ed6be94544a600fbc93b5b5697a5c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d797b93e7053c59b4932f712df994e06a3ed6be94544a600fbc93b5b5697a5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._settings_build` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self._settings_build`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54155, "scanner": "repobility-ast-engine", "fingerprint": "a662234ce8a463c90ac4038fe8536a569324784a2f69916fe11d399cc5fc7728", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a662234ce8a463c90ac4038fe8536a569324784a2f69916fe11d399cc5fc7728"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._use_nmake` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self._use_nmake`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54153, "scanner": "repobility-ast-engine", "fingerprint": "6121f2e3f4d701a439baa9207caf12b3aa170db6fd791ffc1634d9e49f7549ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6121f2e3f4d701a439baa9207caf12b3aa170db6fd791ffc1634d9e49f7549ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.requires` used but never assigned in __init__: Method `requirements` of class `OpenSSLConan` reads `self.requires`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 54151, "scanner": "repobility-ast-engine", "fingerprint": "1fd209c99f87f8332c1025fa579853076ff5f7d84d3396aff39d963207234f1c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1fd209c99f87f8332c1025fa579853076ff5f7d84d3396aff39d963207234f1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 54015, "scanner": "repobility-threat-engine", "fingerprint": "b5a9352a27cbe52aef95991d7dc3022ba5009939d3df3bf85babf29fe4a30cdc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5a9352a27cbe52aef95991d7dc3022ba5009939d3df3bf85babf29fe4a30cdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/plugin/plugin.go"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 54013, "scanner": "repobility-threat-engine", "fingerprint": "2c0fcace5a81d1a39dab1e2ea78ee7c967bc7a8ba5d27edcb7ce342c098fbde5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c0fcace5a81d1a39dab1e2ea78ee7c967bc7a8ba5d27edcb7ce342c098fbde5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/iac/scanners/cloudformation/parser/parser.go"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 54012, "scanner": "repobility-threat-engine", "fingerprint": "0f94a6340d3baea29a8ee08abb37134af6ca4262e670d718b5dfd4bb67910d60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f94a6340d3baea29a8ee08abb37134af6ca4262e670d718b5dfd4bb67910d60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/iac/scanners/ansible/parser/template.go"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 54008, "scanner": "repobility-threat-engine", "fingerprint": "47261da6f393ebbe9fe91a3d621b3e7fa5ce8aebdc36a30a678326697e5630d5", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(input.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|47261da6f393ebbe9fe91a3d621b3e7fa5ce8aebdc36a30a678326697e5630d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/secret/secret.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 54007, "scanner": "repobility-threat-engine", "fingerprint": "70d1126d0749620eec0cd8b43c04dd9e93b3481fa08b84269bc1da43c6129f32", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.Join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|57|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/sbom/sbom.go"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 54006, "scanner": "repobility-threat-engine", "fingerprint": "61e5928b8d88fa13829d8ee1ef6a2933ea76620684200edab68b145cacb3e845", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.Join(input.Dir, input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|27|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/language/java/pom/pom.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 54000, "scanner": "repobility-threat-engine", "fingerprint": "b5e253b8082dd734289d3a8b45f4ba2160471faaf0b88de28926e1012e7ac9d3", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"regexp\"\n\t\"strings\"\n\n\tv1 \"github.com/google", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5e253b8082dd734289d3a8b45f4ba2160471faaf0b88de28926e1012e7ac9d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 53999, "scanner": "repobility-threat-engine", "fingerprint": "d0ad3fd921373de85abab13c41576d856ac5f514b0b36eaf9343b7bb8eae4042", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/aquasecurity/trivy/pkg/", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d0ad3fd921373de85abab13c41576d856ac5f514b0b36eaf9343b7bb8eae4042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/config/dockerfile/docker.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 53998, "scanner": "repobility-threat-engine", "fingerprint": "a42a860fb36cba5a83a7821c59add3f2b703cd7d1b4297e7e21e87996acb89df", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package buildinfo\n\nimport (\n\t\"context\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/moby/buildkit", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a42a860fb36cba5a83a7821c59add3f2b703cd7d1b4297e7e21e87996acb89df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/buildinfo/dockerfile.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 53996, "scanner": "repobility-threat-engine", "fingerprint": "300aa676869abd2cd5b4d24218cb0e06e5643380de1ae55fd6ad7378058b406b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|300aa676869abd2cd5b4d24218cb0e06e5643380de1ae55fd6ad7378058b406b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/fanal/analyzer/pkg/apk/apk.go"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 53995, "scanner": "repobility-threat-engine", "fingerprint": "910c8b21d36999ae2ba00b26c0710123d53e6335b96a5d5baab3e0a6eef6e418", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|910c8b21d36999ae2ba00b26c0710123d53e6335b96a5d5baab3e0a6eef6e418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/digest/digest.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 53994, "scanner": "repobility-threat-engine", "fingerprint": "d92eac780157233138897220d62e7276c7ab835d5da43fa8538d405b1f9303f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d92eac780157233138897220d62e7276c7ab835d5da43fa8538d405b1f9303f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/java/jar/sonatype/sonatype.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 53992, "scanner": "repobility-threat-engine", "fingerprint": "059b4a9f1eaf618c7751f9a21fcd3571c1683fb86cdab26c6d97e6fd022295aa", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|059b4a9f1eaf618c7751f9a21fcd3571c1683fb86cdab26c6d97e6fd022295aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/dependency/parser/golang/mod/parse.go"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 53991, "scanner": "repobility-threat-engine", "fingerprint": "4177e0d048720c7782fe3823a5531cc023d1863a64c38f07d64fb8feeac3811d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4177e0d048720c7782fe3823a5531cc023d1863a64c38f07d64fb8feeac3811d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/commands/run.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 53990, "scanner": "repobility-threat-engine", "fingerprint": "029ede191fa2ea90d98e7c3b8f11ee960008362d3d32f928b70a10a45f230a9d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|029ede191fa2ea90d98e7c3b8f11ee960008362d3d32f928b70a10a45f230a9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/cache/redis.go"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 53989, "scanner": "repobility-threat-engine", "fingerprint": "d1c6efd32517fc41180713d3363372bd6f77b4f1c6e0f88dd09c4267971457de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "f.files.Delete(name)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1c6efd32517fc41180713d3363372bd6f77b4f1c6e0f88dd09c4267971457de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/mapfs/file.go"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 53988, "scanner": "repobility-threat-engine", "fingerprint": "2c5c18bad8054ddbb0b399798c7af6b127ec67d038e27b2de5b61d9cbe7e168e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "c.blobs.Delete(blobID)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c5c18bad8054ddbb0b399798c7af6b127ec67d038e27b2de5b61d9cbe7e168e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/cache/memory.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 53974, "scanner": "repobility-threat-engine", "fingerprint": "f510e84e27003c1c6eb0628d78ce3650e449fba16c646dbf28c98d926c4154cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f510e84e27003c1c6eb0628d78ce3650e449fba16c646dbf28c98d926c4154cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testutil/gzip.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 53973, "scanner": "repobility-threat-engine", "fingerprint": "b633d58be006118e591cb7b7f20fe164e3859b035e0281b966e74ba1c69ef5cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b633d58be006118e591cb7b7f20fe164e3859b035e0281b966e74ba1c69ef5cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testutil/fs.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 53972, "scanner": "repobility-threat-engine", "fingerprint": "8272a7315135a73366126a32b6891ca249db43561759bcc66673e36425204187", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8272a7315135a73366126a32b6891ca249db43561759bcc66673e36425204187"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/gittest/server.go"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TRIVY_WORKFLOW_TRIGGER_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRIVY_WORKFLOW_TRIGGER_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 54203, "scanner": "repobility-supply-chain", "fingerprint": "4f4d8adab4d54d3b7bf54f4987f7ab18b961629b5035bf7ae65ac510947eb895", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f4d8adab4d54d3b7bf54f4987f7ab18b961629b5035bf7ae65ac510947eb895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-chart.yaml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ACTIONS_MULTI_WRITE_GH_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ACTIONS_MULTI_WRITE_GH_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 54202, "scanner": "repobility-supply-chain", "fingerprint": "c9b447f4434bbb5dfdb9aae57f968d5a8bb40186a3b33ceb29ec3353ca1edee2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9b447f4434bbb5dfdb9aae57f968d5a8bb40186a3b33ceb29ec3353ca1edee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-chart.yaml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 54011, "scanner": "repobility-threat-engine", "fingerprint": "7317793ecf8ab3a6c0c29e940d7520de6bacb1509877cbf50387bd59c3656aef", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7317793ecf8ab3a6c0c29e940d7520de6bacb1509877cbf50387bd59c3656aef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/iac/scanners/ansible/parser/template.go"}, "region": {"startLine": 58}}}]}]}]}