{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `actions/download-artifact@v7` is 1 major version(s) behind (latest v8.0.1)", "shortDescription": {"text": "GitHub Action `actions/download-artifact@v7` is 1 major version(s) behind (latest v8.0.1)"}, "fullDescription": {"text": "`uses: actions/download-artifact@v7` is 1 major version(s) behind the latest published release v8.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED046", "name": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger.", "shortDescription": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0097", "name": "rand: RUSTSEC-2026-0097", "shortDescription": {"text": "rand: RUSTSEC-2026-0097"}, "fullDescription": {"text": "Rand is unsound with a custom logger using `rand::rng()`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0007", "name": "bytes: RUSTSEC-2026-0007", "shortDescription": {"text": "bytes: RUSTSEC-2026-0007"}, "fullDescription": {"text": "Integer overflow in `BytesMut::reserve`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0009", "name": "time: RUSTSEC-2026-0009", "shortDescription": {"text": "time: RUSTSEC-2026-0009"}, "fullDescription": {"text": "Denial of Service via Stack Exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0104", "name": "rustls-webpki: RUSTSEC-2026-0104", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "fullDescription": {"text": "Reachable panic in certificate revocation list parsing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0099", "name": "rustls-webpki: RUSTSEC-2026-0099", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "fullDescription": {"text": "Name constraints were accepted for certificates asserting a wildcard name"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0098", "name": "rustls-webpki: RUSTSEC-2026-0098", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "fullDescription": {"text": "Name constraints for URI names were incorrectly accepted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0049", "name": "rustls-webpki: RUSTSEC-2026-0049", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "fullDescription": {"text": "CRLs not considered authoritative by Distribution Point due to faulty matching logic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2023-0071", "name": "rsa: RUSTSEC-2023-0071", "shortDescription": {"text": "rsa: RUSTSEC-2023-0071"}, "fullDescription": {"text": "Marvin Attack: potential key recovery through timing sidechannels"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0141", "name": "bincode: RUSTSEC-2025-0141", "shortDescription": {"text": "bincode: RUSTSEC-2025-0141"}, "fullDescription": {"text": "Bincode is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0056", "name": "adler: RUSTSEC-2025-0056", "shortDescription": {"text": "adler: RUSTSEC-2025-0056"}, "fullDescription": {"text": "adler crate is unmaintained, use adler2 instead"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED008", "name": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let.", "shortDescription": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `scripts/windows/x64/msvcp140.dll` committed in source repo", "shortDescription": {"text": "Binary file `scripts/windows/x64/msvcp140.dll` committed in source repo"}, "fullDescription": {"text": "`scripts/windows/x64/msvcp140.dll` is a .dll binary (578,384 bytes) committed to a repo that otherwise has 95 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `fedora:38` unpinned", "shortDescription": {"text": "Workflow container/services image `fedora:38` unpinned"}, "fullDescription": {"text": "`container/services image: fedora:38` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `debian:bookworm` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `debian:bookworm` not pinned by digest"}, "fullDescription": {"text": "`FROM debian:bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/928"}, "properties": {"repository": "localsend/localsend", "repoUrl": "https://github.com/localsend/localsend", "branch": "main"}, "results": [{"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 87025, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 87024, "scanner": "repobility-docker", "fingerprint": "55228851cadeaeb387109e28d27c4945b15b1ac499f41d2c507f1bd8eece1da9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|55228851cadeaeb387109e28d27c4945b15b1ac499f41d2c507f1bd8eece1da9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/download-artifact@v7` is 1 major version(s) behind (latest v8.0.1)"}, "properties": {"repobilityId": 87004, "scanner": "repobility-dependency-currency", "fingerprint": "5e9f21f5a876a951139fa65b4a219825649852421830474b3cf1f142ced776fc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/download-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v8.0.1", "correlation_key": "fp|5e9f21f5a876a951139fa65b4a219825649852421830474b3cf1f142ced776fc", "current_version": "v7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 405}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `release-drafter/release-drafter@v6` is 1 major version(s) behind (latest v7.3.1)"}, "properties": {"repobilityId": 87003, "scanner": "repobility-dependency-currency", "fingerprint": "b7d236f08e540b97c2d4b1776ae64a113de28a5fd94655d9c02aa183c3d2678f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "release-drafter/release-drafter", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.3.1", "correlation_key": "fp|b7d236f08e540b97c2d4b1776ae64a113de28a5fd94655d9c02aa183c3d2678f", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 396}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v6` is 1 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 87002, "scanner": "repobility-dependency-currency", "fingerprint": "e82c3b4998c8df5927456ef0a37275e849bf40f7679daaba42d886961f8614cf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|e82c3b4998c8df5927456ef0a37275e849bf40f7679daaba42d886961f8614cf", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v6` is 1 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 86995, "scanner": "repobility-dependency-currency", "fingerprint": "533b5015369a888d80a2eab83887bdd888f1e1be5319462f8a74adb8de09c40b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|533b5015369a888d80a2eab83887bdd888f1e1be5319462f8a74adb8de09c40b", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_zip.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v6` is 1 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 86992, "scanner": "repobility-dependency-currency", "fingerprint": "09df6c284e2e07ac47bbbee53d32f64d3f9c60d46a534616a590de27ae57bc22", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|09df6c284e2e07ac47bbbee53d32f64d3f9c60d46a534616a590de27ae57bc22", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_arm64_appimage.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v6` is 1 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 86990, "scanner": "repobility-dependency-currency", "fingerprint": "79704ad642e93d4931cc60c43d922ed78e77a7087a4f95f99294373356624d82", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|79704ad642e93d4931cc60c43d922ed78e77a7087a4f95f99294373356624d82", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_rpm.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v6` is 1 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 86987, "scanner": "repobility-dependency-currency", "fingerprint": "050f65d93d6bdf05e3baa5398b8292a7ca35fc730d147b7f78f3d74a44b7f9ac", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|050f65d93d6bdf05e3baa5398b8292a7ca35fc730d147b7f78f3d74a44b7f9ac", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v6` is 1 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 86982, "scanner": "repobility-dependency-currency", "fingerprint": "43e7d6ca95540520b5479a224f5f672b595fbb99a66fa7c8e66bc6b35907f8fa", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|43e7d6ca95540520b5479a224f5f672b595fbb99a66fa7c8e66bc6b35907f8fa", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_arm64_tar.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 87008, "scanner": "repobility-threat-engine", "fingerprint": "ead13b7079fdbeaabe94a6b607926962b6f0611d2e88845b68edf633a89b4a7d", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|app/assets/web/main.js|138|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/assets/web/main.js"}, "region": {"startLine": 138}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `subosito/flutter-action@v2` is minor version(s) behind (latest v2.23.0)"}, "properties": {"repobilityId": 87000, "scanner": "repobility-dependency-currency", "fingerprint": "6f97c70b9d743f0a5a71e674f488b6b26a561abf5e4ce58436b0181da77f0a4a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "subosito/flutter-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v2.23.0", "correlation_key": "fp|6f97c70b9d743f0a5a71e674f488b6b26a561abf5e4ce58436b0181da77f0a4a", "current_version": "v2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-java@v5` is minor version(s) behind (latest v5.2.0)"}, "properties": {"repobilityId": 86999, "scanner": "repobility-dependency-currency", "fingerprint": "2d649d15ced53750cbbaf9cb1e3a4322028b527fd4ecf39d9b1e41fb810ecf50", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-java", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v5.2.0", "correlation_key": "fp|2d649d15ced53750cbbaf9cb1e3a4322028b527fd4ecf39d9b1e41fb810ecf50", "current_version": "v5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `flutter-actions/setup-flutter@v4` is minor version(s) behind (latest v4.2)"}, "properties": {"repobilityId": 86997, "scanner": "repobility-dependency-currency", "fingerprint": "a14d5b0ba9e16a14fcbac0f5c45215efd06da575fc66d503f23ecf98f5810307", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "flutter-actions/setup-flutter", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v4.2", "correlation_key": "fp|a14d5b0ba9e16a14fcbac0f5c45215efd06da575fc66d503f23ecf98f5810307", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `subosito/flutter-action@v2` is minor version(s) behind (latest v2.23.0)"}, "properties": {"repobilityId": 86994, "scanner": "repobility-dependency-currency", "fingerprint": "dacbc47f64ada52a2c7a74103a9c55232c495feb320a0930e07b87f52ac838b3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "subosito/flutter-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v2.23.0", "correlation_key": "fp|dacbc47f64ada52a2c7a74103a9c55232c495feb320a0930e07b87f52ac838b3", "current_version": "v2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_zip.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `subosito/flutter-action@v2` is minor version(s) behind (latest v2.23.0)"}, "properties": {"repobilityId": 86989, "scanner": "repobility-dependency-currency", "fingerprint": "f76e1b51b36af6af07d108c625e86f53a7eaa1fb82f385209a2de0d86b3ee65a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "subosito/flutter-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v2.23.0", "correlation_key": "fp|f76e1b51b36af6af07d108c625e86f53a7eaa1fb82f385209a2de0d86b3ee65a", "current_version": "v2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_rpm.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `subosito/flutter-action@v2` is minor version(s) behind (latest v2.23.0)"}, "properties": {"repobilityId": 86985, "scanner": "repobility-dependency-currency", "fingerprint": "bc1bef834ab835d93b29a6a81f8469f5fbb6869956c50d490ce7d5b0b6948e89", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "subosito/flutter-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v2.23.0", "correlation_key": "fp|bc1bef834ab835d93b29a6a81f8469f5fbb6869956c50d490ce7d5b0b6948e89", "current_version": "v2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-java@v5` is minor version(s) behind (latest v5.2.0)"}, "properties": {"repobilityId": 86984, "scanner": "repobility-dependency-currency", "fingerprint": "58df081acc2a0d90bbb1592a8dcfb755bcf1dd2d4b14f36bcf56c016bb476369", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-java", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v5.2.0", "correlation_key": "fp|58df081acc2a0d90bbb1592a8dcfb755bcf1dd2d4b14f36bcf56c016bb476369", "current_version": "v5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86949, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c764ffd320a6598146b2b8718f28d08a588aeffeb761b950e5eac166a5afce78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/rust/src/api/webrtc.rs", "duplicate_line": 372, "correlation_key": "fp|c764ffd320a6598146b2b8718f28d08a588aeffeb761b950e5eac166a5afce78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/webrtc/signaling.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86948, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c9865417a130b18dc683fa385d38cf96b825f39e85a1b57a95fbac5ae1d44b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/http/server/controller/v2.rs", "duplicate_line": 8, "correlation_key": "fp|1c9865417a130b18dc683fa385d38cf96b825f39e85a1b57a95fbac5ae1d44b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/http/server/controller/v3.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86947, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8bbc1d1b5509cf09e8bdbb7c3bc4c0e9fb8923bdb0b4e4f68210060173f80b91", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/http/client/v2.rs", "duplicate_line": 108, "correlation_key": "fp|8bbc1d1b5509cf09e8bdbb7c3bc4c0e9fb8923bdb0b4e4f68210060173f80b91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/http/client/v3.rs"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86946, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76eebf4a124f3e21849aef42036ee7d761d259729eff6cd99434f140fc3c3790", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/widget/dialogs/qr_dialog.dart", "duplicate_line": 52, "correlation_key": "fp|76eebf4a124f3e21849aef42036ee7d761d259729eff6cd99434f140fc3c3790"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/widget/dialogs/zoom_dialog.dart"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86945, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ac513dbbc777d6e7b653d5bbe07c657773c31ded238f1d062bef4903e769ef5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/widget/dialogs/text_field_tv.dart", "duplicate_line": 26, "correlation_key": "fp|7ac513dbbc777d6e7b653d5bbe07c657773c31ded238f1d062bef4903e769ef5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/widget/dialogs/text_field_with_actions.dart"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86944, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c515e573b3911f8e24b386977c57de315d936add9941d6d804ce07e76accf744", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/widget/dialogs/qr_dialog.dart", "duplicate_line": 81, "correlation_key": "fp|c515e573b3911f8e24b386977c57de315d936add9941d6d804ce07e76accf744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/widget/dialogs/send_mode_help_dialog.dart"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86943, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a48d16427237c5d0fdf98d933de08c04b10d9cc6b33c36ba39ed23afb2142e35", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/widget/dialogs/file_name_input_dialog.dart", "duplicate_line": 84, "correlation_key": "fp|a48d16427237c5d0fdf98d933de08c04b10d9cc6b33c36ba39ed23afb2142e35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/widget/dialogs/quick_actions_dialog.dart"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86942, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f2a8452b37a3455004d205b6830c3b8d198cc9cb014e8f21f13ddb0365768e4a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/widget/dialogs/favorite_delete_dialog.dart", "duplicate_line": 13, "correlation_key": "fp|f2a8452b37a3455004d205b6830c3b8d198cc9cb014e8f21f13ddb0365768e4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/widget/dialogs/history_clear_dialog.dart"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86941, "scanner": "repobility-ai-code-hygiene", "fingerprint": "61df373f08d3360af7f0419637ee5eff070751e84d961bf6eddf6244caa46ceb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/widget/dialogs/address_input_dialog.dart", "duplicate_line": 189, "correlation_key": "fp|61df373f08d3360af7f0419637ee5eff070751e84d961bf6eddf6244caa46ceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/widget/dialogs/favorite_edit_dialog.dart"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86940, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec7da1600650103c6d7c9df4c19551d0481bc84af27ac5e8e77df9503a3453c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/widget/dialogs/address_input_dialog.dart", "duplicate_line": 191, "correlation_key": "fp|ec7da1600650103c6d7c9df4c19551d0481bc84af27ac5e8e77df9503a3453c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/widget/dialogs/favorite_dialog.dart"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86939, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1294016867f92b223d64ccfe6bbc435a701d4de7172c4d2540db6f8444de910", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/provider/logging/discovery_logs_provider.dart", "duplicate_line": 10, "correlation_key": "fp|d1294016867f92b223d64ccfe6bbc435a701d4de7172c4d2540db6f8444de910"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/provider/logging/http_logs_provider.dart"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86938, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83626ed44f81ec9eb7ae87e05d39d40350cda07e8522e2a131785cd8263460b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/pages/debug/discovery_debug_page.dart", "duplicate_line": 30, "correlation_key": "fp|83626ed44f81ec9eb7ae87e05d39d40350cda07e8522e2a131785cd8263460b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/pages/debug/http_logs_page.dart"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86937, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0674ac9e853f4572fb12c7d2d6f05779c85fc01ee166e3fe36bce06bee0c6cab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/lib/model/state/send/sending_file.mapper.dart", "duplicate_line": 127, "correlation_key": "fp|0674ac9e853f4572fb12c7d2d6f05779c85fc01ee166e3fe36bce06bee0c6cab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/lib/model/state/send/web/web_send_file.mapper.dart"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 87023, "scanner": "repobility-threat-engine", "fingerprint": "73c35d5f4c9bf462fea9fd588602b40ca1afbeac9891116f0a2261abf2a9a04a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|73c35d5f4c9bf462fea9fd588602b40ca1afbeac9891116f0a2261abf2a9a04a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/main.rs"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 87022, "scanner": "repobility-threat-engine", "fingerprint": "88d19610f54cfe19426fdbb8cb8ab018714758e2346eab4e6e398196c6c45fd8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88d19610f54cfe19426fdbb8cb8ab018714758e2346eab4e6e398196c6c45fd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/config/init.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 87021, "scanner": "repobility-threat-engine", "fingerprint": "1f29f09bc8cd07c4846ed1ed7608ac6ebdbc55ba95a23861cac28750a1c17f8e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f29f09bc8cd07c4846ed1ed7608ac6ebdbc55ba95a23861cac28750a1c17f8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/contributions_digester.dart"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 87020, "scanner": "repobility-threat-engine", "fingerprint": "a4ab070bc44d239c77b444b3d6607ddc47b2f95a22b9854095668ddc3c2f06c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4ab070bc44d239c77b444b3d6607ddc47b2f95a22b9854095668ddc3c2f06c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/compile_mac_dmg.sh"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 87019, "scanner": "repobility-threat-engine", "fingerprint": "2a16de56e5c0507f58750804ed55b728e3ee77fd172df197a0481db18b20d318", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2a16de56e5c0507f58750804ed55b728e3ee77fd172df197a0481db18b20d318", "aggregated_count": 4}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 87014, "scanner": "repobility-threat-engine", "fingerprint": "9ba00a856e32fd9ba5e5c50a052a0db972dc3d3fe7c9af979e5ad274a2265180", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9ba00a856e32fd9ba5e5c50a052a0db972dc3d3fe7c9af979e5ad274a2265180"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/windows/runner/win32_window.cpp"}, "region": {"startLine": 66}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/upload-release-asset@v1` is patch version(s) behind (latest v1.0.2)"}, "properties": {"repobilityId": 87005, "scanner": "repobility-dependency-currency", "fingerprint": "ac16b29f370fefe2861c0c484f991c46e191d8b37a2eb1928e9b244053af6273", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-release-asset", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v1.0.2", "correlation_key": "fp|ac16b29f370fefe2861c0c484f991c46e191d8b37a2eb1928e9b244053af6273", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 414}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions-rs/toolchain@v1` is patch version(s) behind (latest v1.0.6)"}, "properties": {"repobilityId": 87001, "scanner": "repobility-dependency-currency", "fingerprint": "c52061043a2cafcacfac5a0237859006a3efd590a669de5c46486699562a3896", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions-rs/toolchain", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v1.0.6", "correlation_key": "fp|c52061043a2cafcacfac5a0237859006a3efd590a669de5c46486699562a3896", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 86998, "scanner": "repobility-dependency-currency", "fingerprint": "da3b48185d3d32a0ce25a67bdcc15dc9af7abcd39b2ea20dac1e5a17fa9925a3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|da3b48185d3d32a0ce25a67bdcc15dc9af7abcd39b2ea20dac1e5a17fa9925a3", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 86996, "scanner": "repobility-dependency-currency", "fingerprint": "51f6c342256707af017f276c66234c7c9339e62df34db32bdfda07e35f1ecac1", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|51f6c342256707af017f276c66234c7c9339e62df34db32bdfda07e35f1ecac1", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 86993, "scanner": "repobility-dependency-currency", "fingerprint": "a2522c3daea6c7b00d5e7bd2f873a02960771bb07dd63895049b42ca40fad7d5", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|a2522c3daea6c7b00d5e7bd2f873a02960771bb07dd63895049b42ca40fad7d5", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_zip.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 86991, "scanner": "repobility-dependency-currency", "fingerprint": "aac5fde0963beb4618a5ce2f6b2daad2b62a3f2ba627c22d44bf89acfc67917a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|aac5fde0963beb4618a5ce2f6b2daad2b62a3f2ba627c22d44bf89acfc67917a", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_arm64_appimage.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 86988, "scanner": "repobility-dependency-currency", "fingerprint": "db8a5163c8282f8999389a31137b27118a7e5d22f376155cecdb2df4df848b55", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|db8a5163c8282f8999389a31137b27118a7e5d22f376155cecdb2df4df848b55", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_rpm.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions-rs/toolchain@v1` is patch version(s) behind (latest v1.0.6)"}, "properties": {"repobilityId": 86986, "scanner": "repobility-dependency-currency", "fingerprint": "68dd1eb4487fb9baf51024483f8514be7c80b29fa5efb13c332dce30ccfcda0c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions-rs/toolchain", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v1.0.6", "correlation_key": "fp|68dd1eb4487fb9baf51024483f8514be7c80b29fa5efb13c332dce30ccfcda0c", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 86983, "scanner": "repobility-dependency-currency", "fingerprint": "d2d54a5af10111a0c6f88da335a53d9372e9097488cb36dbf13d37f5281f440d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|d2d54a5af10111a0c6f88da335a53d9372e9097488cb36dbf13d37f5281f440d", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 86981, "scanner": "repobility-dependency-currency", "fingerprint": "7fb93873f462cf184cba983cb9176678419ce2fde4ed0d96b17978f1790b4603", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|7fb93873f462cf184cba983cb9176678419ce2fde4ed0d96b17978f1790b4603", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_arm64_tar.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "RUSTSEC-2026-0097", "level": "error", "message": {"text": "rand: RUSTSEC-2026-0097"}, "properties": {"repobilityId": 87047, "scanner": "osv-scanner", "fingerprint": "f5c8b3a980915d7b95109d746e8db4b2999cdf6de21401031dbcbd45c77f3b8e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-cq8v-f236-94qc"], "package": "rand", "rule_id": "RUSTSEC-2026-0097", "scanner": "osv-scanner", "correlation_key": "vuln|rand|GHSA-CQ8V-F236-94QC|server/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cq8v-f236-94qc", "RUSTSEC-2026-0097"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4291ebfbfb16f984d13f38081d434fcf917abe43b7f1c1cf69d3ddff44639932", "f5c8b3a980915d7b95109d746e8db4b2999cdf6de21401031dbcbd45c77f3b8e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0007", "level": "error", "message": {"text": "bytes: RUSTSEC-2026-0007"}, "properties": {"repobilityId": 87046, "scanner": "osv-scanner", "fingerprint": "25e63e86b1593800695de2c751647aa0aecafeb534106fc912af2ae5ae74bbe2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25541", "GHSA-434x-w66g-qw3r"], "package": "bytes", "rule_id": "RUSTSEC-2026-0007", "scanner": "osv-scanner", "correlation_key": "vuln|bytes|CVE-2026-25541|server/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-434x-w66g-qw3r", "RUSTSEC-2026-0007"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["25e63e86b1593800695de2c751647aa0aecafeb534106fc912af2ae5ae74bbe2", "6c03ce297a0ab9df8c4ad2bc92e8ed0fa5e1d53a7d27d98047d48e8a25191ffa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0009", "level": "error", "message": {"text": "time: RUSTSEC-2026-0009"}, "properties": {"repobilityId": 87045, "scanner": "osv-scanner", "fingerprint": "8f72071f130d3f905acf4a522f0062fd2a730cc808a15e2182e54a3ca541b6ba", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25727", "GHSA-r6v5-fh4h-64xc"], "package": "time", "rule_id": "RUSTSEC-2026-0009", "scanner": "osv-scanner", "correlation_key": "vuln|time|CVE-2026-25727|core/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r6v5-fh4h-64xc", "RUSTSEC-2026-0009"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8f72071f130d3f905acf4a522f0062fd2a730cc808a15e2182e54a3ca541b6ba", "c505f048478aafd204232036a5b9561a41d768860debf6cc0438bce67fa02f95"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0104", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "properties": {"repobilityId": 87044, "scanner": "osv-scanner", "fingerprint": "076bb85c025cf5c3db06932054840a2715792d83bdb79a3f091cf8384bc04933", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-82j2-j2ch-gfr8"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0104", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-82J2-J2CH-GFR8|core/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-82j2-j2ch-gfr8", "RUSTSEC-2026-0104"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["076bb85c025cf5c3db06932054840a2715792d83bdb79a3f091cf8384bc04933", "5a92dde6abdc4a1518f326048329405be3f0e2d2380ce5cf5b2830a99fa798d1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0099", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "properties": {"repobilityId": 87043, "scanner": "osv-scanner", "fingerprint": "9f6983da7a6db0702049a5ed45cd26b8651ecd98809e701c0a7cbaf94562ae10", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-xgp8-3hg3-c2mh"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0099", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-XGP8-3HG3-C2MH|core/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xgp8-3hg3-c2mh", "RUSTSEC-2026-0099"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["843ca01ac3d01e9693882545d32cec0d49e2045b1a028a02a27cfc9a4f409b3b", "9f6983da7a6db0702049a5ed45cd26b8651ecd98809e701c0a7cbaf94562ae10"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0098", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "properties": {"repobilityId": 87042, "scanner": "osv-scanner", "fingerprint": "c8bfd9bb9fb3b0e160d37a35d3a9da3f1a64afcd6d1e7e7f979ed76af27c9833", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-965h-392x-2mh5"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0098", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-965H-392X-2MH5|core/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-965h-392x-2mh5", "RUSTSEC-2026-0098"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["c8bfd9bb9fb3b0e160d37a35d3a9da3f1a64afcd6d1e7e7f979ed76af27c9833", "e68dc94db2433223cca4b4a9b7514ba3f5d0a89f6df39422915d14c936faae3b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0049", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "properties": {"repobilityId": 87041, "scanner": "osv-scanner", "fingerprint": "dfaae7e9f59bd315b65f8d5619b940b335a7beee931c561840079f4a5a104281", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-pwjx-qhcg-rvj4"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0049", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-PWJX-QHCG-RVJ4|core/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pwjx-qhcg-rvj4", "RUSTSEC-2026-0049"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5dd063c616295d808d4c21cbe6ae92900c8a965bce022770aedf3eea74f0fbc5", "dfaae7e9f59bd315b65f8d5619b940b335a7beee931c561840079f4a5a104281"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2023-0071", "level": "error", "message": {"text": "rsa: RUSTSEC-2023-0071"}, "properties": {"repobilityId": 87040, "scanner": "osv-scanner", "fingerprint": "e351ef2501ccc09bae65dc01d941a4c792e7ef8d83f5ce41f7dc77d1e6c37b1d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-49092", "GHSA-4grx-2x9w-596c", "GHSA-c38w-74pg-36hr"], "package": "rsa", "rule_id": "RUSTSEC-2023-0071", "scanner": "osv-scanner", "correlation_key": "vuln|rsa|CVE-2023-49092|core/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0097", "level": "error", "message": {"text": "rand: RUSTSEC-2026-0097"}, "properties": {"repobilityId": 87039, "scanner": "osv-scanner", "fingerprint": "6b52f00781228b25b064e7a0b06be9ef012a27894e6f86cd810d3991e46518c8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-cq8v-f236-94qc"], "package": "rand", "rule_id": "RUSTSEC-2026-0097", "scanner": "osv-scanner", "correlation_key": "vuln|rand|GHSA-CQ8V-F236-94QC|core/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cq8v-f236-94qc", "RUSTSEC-2026-0097"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6b52f00781228b25b064e7a0b06be9ef012a27894e6f86cd810d3991e46518c8", "841eeaff231ad754ac352d78c5c2ba7e5b2293534f8cc6e8c9202fd61d1e20d1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0007", "level": "error", "message": {"text": "bytes: RUSTSEC-2026-0007"}, "properties": {"repobilityId": 87038, "scanner": "osv-scanner", "fingerprint": "951d5ea0bad6978853efa1bfe482ec1239a1c5b7a184ad60c3edad3000bf12c3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25541", "GHSA-434x-w66g-qw3r"], "package": "bytes", "rule_id": "RUSTSEC-2026-0007", "scanner": "osv-scanner", "correlation_key": "vuln|bytes|CVE-2026-25541|core/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-434x-w66g-qw3r", "RUSTSEC-2026-0007"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3cc5344c36c769fbe6bb3f9f2cad7987a515c0e1b59904ab5218a0fbdd6c6007", "951d5ea0bad6978853efa1bfe482ec1239a1c5b7a184ad60c3edad3000bf12c3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0141", "level": "error", "message": {"text": "bincode: RUSTSEC-2025-0141"}, "properties": {"repobilityId": 87037, "scanner": "osv-scanner", "fingerprint": "819a4e3635a69745c70bcc0bf8b533e39997a3b9278de3a4919203380c60a622", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "bincode", "rule_id": "RUSTSEC-2025-0141", "scanner": "osv-scanner", "correlation_key": "fp|819a4e3635a69745c70bcc0bf8b533e39997a3b9278de3a4919203380c60a622"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0009", "level": "error", "message": {"text": "time: RUSTSEC-2026-0009"}, "properties": {"repobilityId": 87036, "scanner": "osv-scanner", "fingerprint": "f93a53be59090087c4f03e8e545dd3875d0921d53c32743d67a52536c23f5e12", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25727", "GHSA-r6v5-fh4h-64xc"], "package": "time", "rule_id": "RUSTSEC-2026-0009", "scanner": "osv-scanner", "correlation_key": "vuln|time|CVE-2026-25727|app/rust/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r6v5-fh4h-64xc", "RUSTSEC-2026-0009"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["9ce3e7d4f5cc9dd6e3733ef39a42a91e746ea0b9c22beb6229ce77afb1f18fe9", "f93a53be59090087c4f03e8e545dd3875d0921d53c32743d67a52536c23f5e12"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0104", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "properties": {"repobilityId": 87035, "scanner": "osv-scanner", "fingerprint": "e1bc9f359fd4777f55d4a60a2e7f3df446553e655dc39d7a10995eeb9f04c7e0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-82j2-j2ch-gfr8"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0104", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-82J2-J2CH-GFR8|app/rust/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-82j2-j2ch-gfr8", "RUSTSEC-2026-0104"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6deeb9648830e74a387c97f1d8d93476ce593f483e7b14dd76238bd42b444871", "e1bc9f359fd4777f55d4a60a2e7f3df446553e655dc39d7a10995eeb9f04c7e0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0099", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "properties": {"repobilityId": 87034, "scanner": "osv-scanner", "fingerprint": "70cff8e18cd19feec20c363a586e6950adb3e1161d8a5c36e978218f5fcdc3ed", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-xgp8-3hg3-c2mh"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0099", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-XGP8-3HG3-C2MH|app/rust/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xgp8-3hg3-c2mh", "RUSTSEC-2026-0099"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["02cb18d5a194045a93c118233562b84384ddcd04183e99245d3790ae680e5270", "70cff8e18cd19feec20c363a586e6950adb3e1161d8a5c36e978218f5fcdc3ed"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0098", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "properties": {"repobilityId": 87033, "scanner": "osv-scanner", "fingerprint": "1932e7c33649b42eb020ead8b0f9caa195360a7ebb88fcdba10266ef18d62bf0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-965h-392x-2mh5"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0098", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-965H-392X-2MH5|app/rust/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-965h-392x-2mh5", "RUSTSEC-2026-0098"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1932e7c33649b42eb020ead8b0f9caa195360a7ebb88fcdba10266ef18d62bf0", "b9b0dad97524eb24b923de0a8253e0cbba45bdcc114ebd6aad90638cdba6179f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0049", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "properties": {"repobilityId": 87032, "scanner": "osv-scanner", "fingerprint": "0c0a851ee15e6ff7a0a2dfc7b60941ff8b084f743d89db5a37d858793ca538ad", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-pwjx-qhcg-rvj4"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0049", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-PWJX-QHCG-RVJ4|app/rust/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pwjx-qhcg-rvj4", "RUSTSEC-2026-0049"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0c0a851ee15e6ff7a0a2dfc7b60941ff8b084f743d89db5a37d858793ca538ad", "754b63d101609b236b6acc3141094702b0a818072361601d1abd7e0b49c26c6c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2023-0071", "level": "error", "message": {"text": "rsa: RUSTSEC-2023-0071"}, "properties": {"repobilityId": 87031, "scanner": "osv-scanner", "fingerprint": "9537d7b1c9c67c7610dbec79a60d80c7582d9c401d7ad8b1548e73b061849984", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-49092", "GHSA-4grx-2x9w-596c", "GHSA-c38w-74pg-36hr"], "package": "rsa", "rule_id": "RUSTSEC-2023-0071", "scanner": "osv-scanner", "correlation_key": "vuln|rsa|CVE-2023-49092|app/rust/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0097", "level": "error", "message": {"text": "rand: RUSTSEC-2026-0097"}, "properties": {"repobilityId": 87030, "scanner": "osv-scanner", "fingerprint": "647df0420bf03a06807be0498cb61d0d3d7b4e4815cf3e0304612ebafa548c50", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-cq8v-f236-94qc"], "package": "rand", "rule_id": "RUSTSEC-2026-0097", "scanner": "osv-scanner", "correlation_key": "vuln|rand|GHSA-CQ8V-F236-94QC|app/rust/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cq8v-f236-94qc", "RUSTSEC-2026-0097"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["647df0420bf03a06807be0498cb61d0d3d7b4e4815cf3e0304612ebafa548c50", "f66ef4fce2fbbfa1ed3ebe0ccae1a5eb6fb5bb4c80e9f5b21ba1df5802cf9ec5"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0141", "level": "error", "message": {"text": "bincode: RUSTSEC-2025-0141"}, "properties": {"repobilityId": 87029, "scanner": "osv-scanner", "fingerprint": "6eedacdc7c8f373e6a9258c2affc51ef3b302490d5b2f4a7892c8d6ec02bc50b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "bincode", "rule_id": "RUSTSEC-2025-0141", "scanner": "osv-scanner", "correlation_key": "fp|6eedacdc7c8f373e6a9258c2affc51ef3b302490d5b2f4a7892c8d6ec02bc50b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0056", "level": "error", "message": {"text": "adler: RUSTSEC-2025-0056"}, "properties": {"repobilityId": 87028, "scanner": "osv-scanner", "fingerprint": "3e80580945f3a2b05c09127fb9178e106d907f5327d2ad5cd1a7403ffd413a11", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "adler", "rule_id": "RUSTSEC-2025-0056", "scanner": "osv-scanner", "correlation_key": "fp|3e80580945f3a2b05c09127fb9178e106d907f5327d2ad5cd1a7403ffd413a11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 87018, "scanner": "repobility-threat-engine", "fingerprint": "48d266b13ade6a040b0fe719d9561f71cfe9b3b2138ee2c029518d8da73e4d8d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|48d266b13ade6a040b0fe719d9561f71cfe9b3b2138ee2c029518d8da73e4d8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/http/dto_v2.rs"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 87017, "scanner": "repobility-threat-engine", "fingerprint": "750bd6089b14511bd214b9438c9a4b97d17c006818709810bfc95af07bbf619e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|750bd6089b14511bd214b9438c9a4b97d17c006818709810bfc95af07bbf619e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/http/client/v3.rs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 87016, "scanner": "repobility-threat-engine", "fingerprint": "37f549af945c2be6b4a62e0fdf76cd836ae48c3933829bf048fb9ca7aea4516f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37f549af945c2be6b4a62e0fdf76cd836ae48c3933829bf048fb9ca7aea4516f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/crypto/token.rs"}, "region": {"startLine": 229}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87015, "scanner": "repobility-threat-engine", "fingerprint": "eda91ff0720c9bcbdbee5596076e5a506f99a82b8bea5fc7dbf7f6055ccbf40d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hasher.update(data);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eda91ff0720c9bcbdbee5596076e5a506f99a82b8bea5fc7dbf7f6055ccbf40d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/crypto/hash.rs"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 87013, "scanner": "repobility-threat-engine", "fingerprint": "f76973e25c7845a3b8ad2b7335d9e35c5a51717eef25c66243fe33ae87f9738c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f76973e25c7845a3b8ad2b7335d9e35c5a51717eef25c66243fe33ae87f9738c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/macos/ShareExtension/Utilities.swift"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 87012, "scanner": "repobility-threat-engine", "fingerprint": "2734fcd73ef71ccfb32fa37fe411331a808598b793744a7ad42afe0f014c1f52", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2734fcd73ef71ccfb32fa37fe411331a808598b793744a7ad42afe0f014c1f52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/macos/Runner/AppDelegate.swift"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87011, "scanner": "repobility-threat-engine", "fingerprint": "1136df5d94d02b93d51cf6a56a3c1836c04ebd3f8d04da20a42641b7397e40f6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1136df5d94d02b93d51cf6a56a3c1836c04ebd3f8d04da20a42641b7397e40f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/macos/Runner/Utilities.swift"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87010, "scanner": "repobility-threat-engine", "fingerprint": "66485b8ab935f128e8ccac6e78d5d8613f00ef77dcb12a4116d2b3b6cb75d037", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66485b8ab935f128e8ccac6e78d5d8613f00ef77dcb12a4116d2b3b6cb75d037"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/macos/Runner/SecurityScopedResourceManager.swift"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87009, "scanner": "repobility-threat-engine", "fingerprint": "8350dd201010d7c625b455cdc5fb9c3f7962bf597219f2c86c208eb96064c536", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8350dd201010d7c625b455cdc5fb9c3f7962bf597219f2c86c208eb96064c536"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/macos/Runner/AppDelegate.swift"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 87007, "scanner": "repobility-threat-engine", "fingerprint": "cb015160feba3ed6d6edcf22f7ad07a2e10cb027ffb08f1c75dd2d2c048eae49", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb015160feba3ed6d6edcf22f7ad07a2e10cb027ffb08f1c75dd2d2c048eae49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/android/app/src/main/kotlin/org/localsend/localsend_app/MainActivity.kt"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 87006, "scanner": "repobility-threat-engine", "fingerprint": "aa649ef9093486413875a422707f26e86ee97215d7167ecf80338fa8f5d9f07f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa649ef9093486413875a422707f26e86ee97215d7167ecf80338fa8f5d9f07f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/android/app/src/main/kotlin/org/localsend/localsend_app/FastDocumentFile.kt"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `scripts/windows/x64/msvcp140.dll` committed in source repo"}, "properties": {"repobilityId": 86980, "scanner": "repobility-supply-chain", "fingerprint": "345310805823699dcdbc673f7b5c43d927c4c7b70f8dca3fd1adb376f30dbc9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|345310805823699dcdbc673f7b5c43d927c4c7b70f8dca3fd1adb376f30dbc9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/windows/x64/msvcp140.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `scripts/windows/x64/vcruntime140_1.dll` committed in source repo"}, "properties": {"repobilityId": 86979, "scanner": "repobility-supply-chain", "fingerprint": "b9c410f077165f1eda9f4d86aa8293a3eb9ae70f28d75243143987eedf2dcb35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9c410f077165f1eda9f4d86aa8293a3eb9ae70f28d75243143987eedf2dcb35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/windows/x64/vcruntime140_1.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `scripts/windows/x64/vcruntime140.dll` committed in source repo"}, "properties": {"repobilityId": 86978, "scanner": "repobility-supply-chain", "fingerprint": "5a28321c57162da7d39d2a79c77ae741d7e93102bf6155c9e8f84afa232c595a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a28321c57162da7d39d2a79c77ae741d7e93102bf6155c9e8f84afa232c595a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/windows/x64/vcruntime140.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86977, "scanner": "repobility-supply-chain", "fingerprint": "78b37fc1a425a082b5be7f8c2994e2dfe97596100d29553473c9f2df8f2a7101", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|78b37fc1a425a082b5be7f8c2994e2dfe97596100d29553473c9f2df8f2a7101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `flutter-actions/setup-flutter` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 86976, "scanner": "repobility-supply-chain", "fingerprint": "bd8df220402a1ec6535ba23d8333525c220203d2c24657d1332720c3e23a9151", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd8df220402a1ec6535ba23d8333525c220203d2c24657d1332720c3e23a9151"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86975, "scanner": "repobility-supply-chain", "fingerprint": "fbe50863077840c99b334f64973e7a23876df830a8301b7d59f8e71423643c0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbe50863077840c99b334f64973e7a23876df830a8301b7d59f8e71423643c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `flutter-actions/setup-flutter` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 86974, "scanner": "repobility-supply-chain", "fingerprint": "d77251792f84a59370b119e05242ea10351c8d2eaf34ff14275885de3710af5d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d77251792f84a59370b119e05242ea10351c8d2eaf34ff14275885de3710af5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86973, "scanner": "repobility-supply-chain", "fingerprint": "23636ea01d501f32aa04be627c5e9e9262c0872637898873d9925403127a84c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23636ea01d501f32aa04be627c5e9e9262c0872637898873d9925403127a84c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86972, "scanner": "repobility-supply-chain", "fingerprint": "e4916a8de9a2866aa6084183dcb2ed8b75d50bce8293a4b3a3d9248966cb95a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4916a8de9a2866aa6084183dcb2ed8b75d50bce8293a4b3a3d9248966cb95a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_zip.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `subosito/flutter-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 86971, "scanner": "repobility-supply-chain", "fingerprint": "a8135c1880ac0eacad3b59aace2b96d8831fe9c0b732815e3f70b0a525233e3f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8135c1880ac0eacad3b59aace2b96d8831fe9c0b732815e3f70b0a525233e3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_zip.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86970, "scanner": "repobility-supply-chain", "fingerprint": "6580994075df8a92161985caa14e3a1cc45b189ff2d6349bafe51109f22637b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6580994075df8a92161985caa14e3a1cc45b189ff2d6349bafe51109f22637b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_zip.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86969, "scanner": "repobility-supply-chain", "fingerprint": "3ffbcd9b33b75bab4855787ad6272248be8cc14d9e63bef7afe1532702ca6770", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ffbcd9b33b75bab4855787ad6272248be8cc14d9e63bef7afe1532702ca6770"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_zip.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86968, "scanner": "repobility-supply-chain", "fingerprint": "a802dfdc4a75c781684730decc07e2abcf23532c4eecfac086b07b7e69341cc4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a802dfdc4a75c781684730decc07e2abcf23532c4eecfac086b07b7e69341cc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_arm64_appimage.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86967, "scanner": "repobility-supply-chain", "fingerprint": "4fc81d4ee5a42339883cd34c76fc5112487916a0bf538c7056917deec6991229", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fc81d4ee5a42339883cd34c76fc5112487916a0bf538c7056917deec6991229"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_arm64_appimage.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86966, "scanner": "repobility-supply-chain", "fingerprint": "03301460896f272b2883712b4cf7c2de056697c5a456d83acf821c570fb7ccb4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03301460896f272b2883712b4cf7c2de056697c5a456d83acf821c570fb7ccb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_arm64_appimage.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `fedora:38` unpinned"}, "properties": {"repobilityId": 86965, "scanner": "repobility-supply-chain", "fingerprint": "a74b487fdef3a9e05ca0f62468f7ef8a06c0323c743534f62ebe8a7e299a299b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a74b487fdef3a9e05ca0f62468f7ef8a06c0323c743534f62ebe8a7e299a299b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_rpm.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86964, "scanner": "repobility-supply-chain", "fingerprint": "a1ef49f8eaa48d79a9a8901663d1739cbff53b10a40460ea8fd1794b8444844b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a1ef49f8eaa48d79a9a8901663d1739cbff53b10a40460ea8fd1794b8444844b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_rpm.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `subosito/flutter-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 86963, "scanner": "repobility-supply-chain", "fingerprint": "3a8c81146351f07fd6ae4fb85bfa1ab2eee05561b2c6074bf89bd265f915e585", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a8c81146351f07fd6ae4fb85bfa1ab2eee05561b2c6074bf89bd265f915e585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_rpm.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86962, "scanner": "repobility-supply-chain", "fingerprint": "bb9cd12348466f7f03aceccbf800d1fa2b0d2aabacb2dfb24733263a0256c932", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb9cd12348466f7f03aceccbf800d1fa2b0d2aabacb2dfb24733263a0256c932"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_rpm.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86961, "scanner": "repobility-supply-chain", "fingerprint": "cd77a6351c41b71d1e913d06c217694b1b701db886bcd6dddd35590c1b0f3e2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd77a6351c41b71d1e913d06c217694b1b701db886bcd6dddd35590c1b0f3e2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_rpm.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86960, "scanner": "repobility-supply-chain", "fingerprint": "6b16a6bd21e7301ae3db6abb8d83e776faf152a5f030855a3b23e129c3177e46", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b16a6bd21e7301ae3db6abb8d83e776faf152a5f030855a3b23e129c3177e46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions-rs/toolchain` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 86959, "scanner": "repobility-supply-chain", "fingerprint": "8f05d34f0bcf6bd0f99d13453880902e01417a20b4726c8d1a45934742206202", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f05d34f0bcf6bd0f99d13453880902e01417a20b4726c8d1a45934742206202"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `subosito/flutter-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 86958, "scanner": "repobility-supply-chain", "fingerprint": "a9777def52fab2972ac861c8d5c9acf329602a7dbc0877f20fd4c3c25101dcd4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9777def52fab2972ac861c8d5c9acf329602a7dbc0877f20fd4c3c25101dcd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 86957, "scanner": "repobility-supply-chain", "fingerprint": "9eefcad6d0ce60f9f9d315053af2bed1a5bfcccfe2eca1c3b00769a2bc11bd61", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9eefcad6d0ce60f9f9d315053af2bed1a5bfcccfe2eca1c3b00769a2bc11bd61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86956, "scanner": "repobility-supply-chain", "fingerprint": "6c0f2656f3f6dc94ee509172fcef2c8407fad706c8295bac89e329b09ef4987c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c0f2656f3f6dc94ee509172fcef2c8407fad706c8295bac89e329b09ef4987c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86955, "scanner": "repobility-supply-chain", "fingerprint": "577668d179ccc31c2615400acfd1f51225a7a49d21a1c40217e15683e9357fd5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|577668d179ccc31c2615400acfd1f51225a7a49d21a1c40217e15683e9357fd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_apk.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86954, "scanner": "repobility-supply-chain", "fingerprint": "fe07fa189ba76d7409ca723e2fb679b83d0357447d28216684c060692a5d6585", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe07fa189ba76d7409ca723e2fb679b83d0357447d28216684c060692a5d6585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_arm64_tar.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86953, "scanner": "repobility-supply-chain", "fingerprint": "f94b62e22180eb3233fc443f9bc9e06ad9fbad80c8968f5a6d6623898d49e4da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f94b62e22180eb3233fc443f9bc9e06ad9fbad80c8968f5a6d6623898d49e4da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_arm64_tar.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 86952, "scanner": "repobility-supply-chain", "fingerprint": "b0e00756463e0c95c269527dd8db5c8b1f742c26347ec6be9d3d068fce62ffc0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0e00756463e0c95c269527dd8db5c8b1f742c26347ec6be9d3d068fce62ffc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_arm64_tar.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `debian:bookworm` not pinned by digest"}, "properties": {"repobilityId": 86951, "scanner": "repobility-supply-chain", "fingerprint": "96d3bf87f8a7f0dd4daa10ed3484f07d68384f18a2d76e0e9ddbe8314b8c65d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96d3bf87f8a7f0dd4daa10ed3484f07d68384f18a2d76e0e9ddbe8314b8c65d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `rust:1.83` not pinned by digest"}, "properties": {"repobilityId": 86950, "scanner": "repobility-supply-chain", "fingerprint": "fa1661dc481e765e5d001df28ec31ee45f72e271847dd06879c0ac35a985057e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa1661dc481e765e5d001df28ec31ee45f72e271847dd06879c0ac35a985057e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 87027, "scanner": "gitleaks", "fingerprint": "951360d0642a4b8a93a72f9cfe18b79fb6a91b7ffc09f303697c49a482589b5a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|core/src/main.rs|4|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 87026, "scanner": "gitleaks", "fingerprint": "11726135956d0a18f49a36c6e52c71f5cb90d4a37a2bafc32ab49dc1a26abce2", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|3|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/test/unit/util/security_helper_test.dart"}, "region": {"startLine": 35}}}]}]}]}