{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-pq67-6m6q-mj2v", "name": "urllib3: GHSA-pq67-6m6q-mj2v", "shortDescription": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "fullDescription": {"text": "urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-34jh-p97f-mpxf", "name": "urllib3: GHSA-34jh-p97f-mpxf", "shortDescription": {"text": "urllib3: GHSA-34jh-p97f-mpxf"}, "fullDescription": {"text": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc5v-m9x4-r6x2", "name": "requests: GHSA-gc5v-m9x4-r6x2", "shortDescription": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "fullDescription": {"text": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wx4-h78v-vm56", "name": "requests: GHSA-9wx4-h78v-vm56", "shortDescription": {"text": "requests: GHSA-9wx4-h78v-vm56"}, "fullDescription": {"text": "Requests `Session` object does not verify requests after making first request with verify=False"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9hjg-9r4m-mvj7", "name": "requests: GHSA-9hjg-9r4m-mvj7", "shortDescription": {"text": "requests: GHSA-9hjg-9r4m-mvj7"}, "fullDescription": {"text": "Requests vulnerable to .netrc credentials leak via malicious URLs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-crqm-m339-7m2p", "name": "pyzipper: GHSA-crqm-m339-7m2p", "shortDescription": {"text": "pyzipper: GHSA-crqm-m339-7m2p"}, "fullDescription": {"text": "pyzipper has an encryption bypass for small files encrypted using it"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w8v5-vhqr-4h9v", "name": "diskcache: GHSA-w8v5-vhqr-4h9v", "shortDescription": {"text": "diskcache: GHSA-w8v5-vhqr-4h9v"}, "fullDescription": {"text": "DiskCache has unsafe pickle deserialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `cachetools` is 2 major version(s) behind (5.3.3 -> 7.1.4)", "shortDescription": {"text": "Python package `cachetools` is 2 major version(s) behind (5.3.3 -> 7.1.4)"}, "fullDescription": {"text": "`cachetools==5.3.3` is 2 major version(s) behind the latest stable release on PyPI (7.1.4). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "GHSA-gm62-xv2j-4w53", "name": "urllib3: GHSA-gm62-xv2j-4w53", "shortDescription": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "fullDescription": {"text": "urllib3 allows an unbounded number of links in the decompression chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38jv-5279-wg99", "name": "urllib3: GHSA-38jv-5279-wg99", "shortDescription": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "fullDescription": {"text": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2xpw-w6gg-jr37", "name": "urllib3: GHSA-2xpw-w6gg-jr37", "shortDescription": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "fullDescription": {"text": "urllib3 streaming API improperly handles highly compressed data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-212", "name": "urllib3: PYSEC-2023-212", "shortDescription": {"text": "urllib3: PYSEC-2023-212"}, "fullDescription": {"text": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j225-cvw7-qrx7", "name": "pycryptodome: GHSA-j225-cvw7-qrx7", "shortDescription": {"text": "pycryptodome: GHSA-j225-cvw7-qrx7"}, "fullDescription": {"text": "PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `ad-m/github-push-action` pinned to mutable ref `@v0.6.0`", "shortDescription": {"text": "Action `ad-m/github-push-action` pinned to mutable ref `@v0.6.0`"}, "fullDescription": {"text": "`uses: ad-m/github-push-action@v0.6.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1379"}, "properties": {"repository": "byte-capsule/FanCode-Hls-Fetcher", "repoUrl": "https://github.com/byte-capsule/FanCode-Hls-Fetcher", "branch": "main"}, "results": [{"ruleId": "GHSA-pq67-6m6q-mj2v", "level": "warning", "message": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "properties": {"repobilityId": 141004, "scanner": "osv-scanner", "fingerprint": "163bdff65c3ce10f9a93a9866aca7dc5f2158119544e441758bb1e189063007d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-50181"], "package": "urllib3", "rule_id": "GHSA-pq67-6m6q-mj2v", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-50181|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-34jh-p97f-mpxf", "level": "warning", "message": {"text": "urllib3: GHSA-34jh-p97f-mpxf"}, "properties": {"repobilityId": 141001, "scanner": "osv-scanner", "fingerprint": "263ef88ffb58e95c907a84244d8bddfff838336fc8a8dc6fbbaf932de3120706", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-37891"], "package": "urllib3", "rule_id": "GHSA-34jh-p97f-mpxf", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2024-37891|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gc5v-m9x4-r6x2", "level": "warning", "message": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "properties": {"repobilityId": 140997, "scanner": "osv-scanner", "fingerprint": "df69fc105f839b8858988bd945af94347c2e8a5ab6be2c5dec785fcd4d2fc827", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25645"], "package": "requests", "rule_id": "GHSA-gc5v-m9x4-r6x2", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2026-25645|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wx4-h78v-vm56", "level": "warning", "message": {"text": "requests: GHSA-9wx4-h78v-vm56"}, "properties": {"repobilityId": 140996, "scanner": "osv-scanner", "fingerprint": "16335ea6537f2b6c71811f552212ec9408c35d43ff73d772da0d19be29d73991", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-35195"], "package": "requests", "rule_id": "GHSA-9wx4-h78v-vm56", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2024-35195|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9hjg-9r4m-mvj7", "level": "warning", "message": {"text": "requests: GHSA-9hjg-9r4m-mvj7"}, "properties": {"repobilityId": 140995, "scanner": "osv-scanner", "fingerprint": "034eedde606d9526f151c4b574252cb5c7f7efabba940fadb09dc2a0d1598395", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47081"], "package": "requests", "rule_id": "GHSA-9hjg-9r4m-mvj7", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2024-47081|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-crqm-m339-7m2p", "level": "warning", "message": {"text": "pyzipper: GHSA-crqm-m339-7m2p"}, "properties": {"repobilityId": 140994, "scanner": "osv-scanner", "fingerprint": "60d8c4c59bedea141bd1d8e9c8c637e35c563ffdc9ccf1047cd3f0081df04548", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44722"], "package": "pyzipper", "rule_id": "GHSA-crqm-m339-7m2p", "scanner": "osv-scanner", "correlation_key": "vuln|pyzipper|CVE-2026-44722|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w8v5-vhqr-4h9v", "level": "warning", "message": {"text": "diskcache: GHSA-w8v5-vhqr-4h9v"}, "properties": {"repobilityId": 140992, "scanner": "osv-scanner", "fingerprint": "c3fc31cfa85086e67ef6af5c8a57625ff9f1287e682a3ddf064c3f06d9daabc4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69872"], "package": "diskcache", "rule_id": "GHSA-w8v5-vhqr-4h9v", "scanner": "osv-scanner", "correlation_key": "vuln|diskcache|CVE-2025-69872|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 140990, "scanner": "repobility-threat-engine", "fingerprint": "8b5f27b6ec901d4b853475590c13faafdacab094331e67a415006d3d0de51088", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|decrypt.py|6|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "decrypt.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `cachetools` is 2 major version(s) behind (5.3.3 -> 7.1.4)"}, "properties": {"repobilityId": 140989, "scanner": "repobility-dependency-currency", "fingerprint": "358c669fbe7751c552bd3460bd4ffa4f92fdb3dc95b6ab1973f8329cbc2ded43", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cachetools", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "7.1.4", "correlation_key": "fp|358c669fbe7751c552bd3460bd4ffa4f92fdb3dc95b6ab1973f8329cbc2ded43", "current_version": "5.3.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `pytz` is 3 major version(s) behind (2023.3.post1 -> 2026.2)"}, "properties": {"repobilityId": 140984, "scanner": "repobility-dependency-currency", "fingerprint": "09d5cd57ff0a0ef848b0111dbd0c23d50f53b062c766c1c995204f22fa2f0c2c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pytz", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2026.2", "correlation_key": "fp|09d5cd57ff0a0ef848b0111dbd0c23d50f53b062c766c1c995204f22fa2f0c2c", "current_version": "2023.3.post1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 140980, "scanner": "repobility-ast-engine", "fingerprint": "89e2b038a7c7151fa3c11bf12c2c1b0552628208fad71bfd7e5fe4818abfe174", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89e2b038a7c7151fa3c11bf12c2c1b0552628208fad71bfd7e5fe4818abfe174"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "decrypt.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `beautifulsoup4` is minor version(s) behind (4.12.3 -> 4.14.3)"}, "properties": {"repobilityId": 140988, "scanner": "repobility-dependency-currency", "fingerprint": "e9afbc629f6ad9957d17e2c323246f2a2f1f4447036cc3d55147c154810d4e2d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "beautifulsoup4", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "4.14.3", "correlation_key": "fp|e9afbc629f6ad9957d17e2c323246f2a2f1f4447036cc3d55147c154810d4e2d", "current_version": "4.12.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `pyzipper` is minor version(s) behind (0.3.6 -> 0.4.0)"}, "properties": {"repobilityId": 140987, "scanner": "repobility-dependency-currency", "fingerprint": "087a9a7d6fc1c04568bcbbe1f39368115a178dd69c082c008032b7a5e35a705b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pyzipper", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.4.0", "correlation_key": "fp|087a9a7d6fc1c04568bcbbe1f39368115a178dd69c082c008032b7a5e35a705b", "current_version": "0.3.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `urllib3` is minor version(s) behind (2.0.6 -> 2.7.0)"}, "properties": {"repobilityId": 140986, "scanner": "repobility-dependency-currency", "fingerprint": "725a5c7a1a8deb3c598b4a5845884e77f33c1c1d4c048e28842b0d1080553320", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "urllib3", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.7.0", "correlation_key": "fp|725a5c7a1a8deb3c598b4a5845884e77f33c1c1d4c048e28842b0d1080553320", "current_version": "2.0.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `requests` is minor version(s) behind (2.31.0 -> 2.34.2)"}, "properties": {"repobilityId": 140985, "scanner": "repobility-dependency-currency", "fingerprint": "136a173727cdab00088fe31fb1422c08364ccf9ab726f83808c766f10a821e71", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "requests", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.34.2", "correlation_key": "fp|136a173727cdab00088fe31fb1422c08364ccf9ab726f83808c766f10a821e71", "current_version": "2.31.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `pycryptodome` is minor version(s) behind (3.19.0 -> 3.23.0)"}, "properties": {"repobilityId": 140983, "scanner": "repobility-dependency-currency", "fingerprint": "70d848a41ee03481145d74bcb58d6e9afa9c0ad09bfec85fd0b2bc1c5ec067d4", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pycryptodome", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.23.0", "correlation_key": "fp|70d848a41ee03481145d74bcb58d6e9afa9c0ad09bfec85fd0b2bc1c5ec067d4", "current_version": "3.19.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 140979, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "GHSA-gm62-xv2j-4w53", "level": "error", "message": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "properties": {"repobilityId": 141003, "scanner": "osv-scanner", "fingerprint": "c6179b31454e1888b1c1cb677d9a99fa3cc26aa20b5c461bc02cfa5532b4b7de", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66418"], "package": "urllib3", "rule_id": "GHSA-gm62-xv2j-4w53", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66418|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38jv-5279-wg99", "level": "error", "message": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "properties": {"repobilityId": 141002, "scanner": "osv-scanner", "fingerprint": "7efc812025ab761a376ad0e88be78a767b579da26a39959de36b3ff8586ddf87", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21441"], "package": "urllib3", "rule_id": "GHSA-38jv-5279-wg99", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-21441|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2xpw-w6gg-jr37", "level": "error", "message": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "properties": {"repobilityId": 141000, "scanner": "osv-scanner", "fingerprint": "3e8220a54bdfdded3281f2e83b5ce135568419305f3e1461f7898b0d265417c6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66471"], "package": "urllib3", "rule_id": "GHSA-2xpw-w6gg-jr37", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66471|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 140999, "scanner": "osv-scanner", "fingerprint": "c9782ea239ddf9652bd8aa66c5c6c4ebee4d2b704faaab015341940a64bb5ee3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8fea5709b1e04c1904accc4ad0dc76733fefc920773cbaba3c59a24994880532", "c9782ea239ddf9652bd8aa66c5c6c4ebee4d2b704faaab015341940a64bb5ee3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-212", "level": "error", "message": {"text": "urllib3: PYSEC-2023-212"}, "properties": {"repobilityId": 140998, "scanner": "osv-scanner", "fingerprint": "c54313db294544b9cee782de7e62a50e816abe039964f07deaebb09ad1516523", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-45803", "GHSA-g4mx-q9vg-27p4"], "package": "urllib3", "rule_id": "PYSEC-2023-212", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2023-45803|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-g4mx-q9vg-27p4", "PYSEC-2023-212"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["9e561813e7f0196d36c9996b633bffde6cb85ab62a6af4b0ce8849ce8ecb4407", "c54313db294544b9cee782de7e62a50e816abe039964f07deaebb09ad1516523"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j225-cvw7-qrx7", "level": "error", "message": {"text": "pycryptodome: GHSA-j225-cvw7-qrx7"}, "properties": {"repobilityId": 140993, "scanner": "osv-scanner", "fingerprint": "d67ddfc8e21af207429e2f5aee455cabb203815b00cc3b18d8d6eb2d5a57cc7c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-52323", "PYSEC-2024-3"], "package": "pycryptodome", "rule_id": "GHSA-j225-cvw7-qrx7", "scanner": "osv-scanner", "correlation_key": "vuln|pycryptodome|CVE-2023-52323|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 140991, "scanner": "repobility-threat-engine", "fingerprint": "d1c0f20c941237e484d14176a4bcc697473a1b1d99656c90d697764855149fec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1c0f20c941237e484d14176a4bcc697473a1b1d99656c90d697764855149fec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "decrypt.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ad-m/github-push-action` pinned to mutable ref `@v0.6.0`"}, "properties": {"repobilityId": 140982, "scanner": "repobility-supply-chain", "fingerprint": "39ac7aa0230fda6a2deeb89cabea5836d77aa6058c05f95dfd6df866f885b65a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39ac7aa0230fda6a2deeb89cabea5836d77aa6058c05f95dfd6df866f885b65a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 140981, "scanner": "repobility-supply-chain", "fingerprint": "cdfb4c962385bb88d870920316cbbbc99f6c3a4eaf22151b217f6267d48e2cdb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cdfb4c962385bb88d870920316cbbbc99f6c3a4eaf22151b217f6267d48e2cdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 16}}}]}]}]}