{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.", "shortDescription": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED083] Java Thread Start (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace (and 34 more): Same pattern found in 34 additional files. Review if needed.", "shortDescription": {"text": "[MINED081] Java Printstacktrace (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` re", "shortDescription": {"text": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-fi"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-release-asset@<40-char-sha>  # v1` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1033"}, "properties": {"repository": "CommonWealthRobotics/BowlerStudio", "repoUrl": "https://github.com/CommonWealthRobotics/BowlerStudio", "branch": "development"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 96740, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 96725, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 96741, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96739, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8715215944c6e3af6b60f8c853a97da97518ae4c46e4baef3c1196b20a832b25", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/graphing/ExcelWriter.java", "duplicate_line": 15, "correlation_key": "fp|8715215944c6e3af6b60f8c853a97da97518ae4c46e4baef3c1196b20a832b25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/pidsim/ExcelWriter.java"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96738, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2998965189ca0d3c06822824160607bd37a87bf3624f4e90239ae5aa652ae2fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/nrconsole/plugin/bootloader/BootloaderPanel.java", "duplicate_line": 83, "correlation_key": "fp|2998965189ca0d3c06822824160607bd37a87bf3624f4e90239ae5aa652ae2fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/nrconsole/plugin/bootloader/gui/NR_Bootloader_GUI.java"}, "region": {"startLine": 134}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96737, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1fa621a1e0e7459a11671655831031776e96496e6c07f0bdb77dc3fd2a60557", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/CreatureLab3dController.java", "duplicate_line": 16, "correlation_key": "fp|e1fa621a1e0e7459a11671655831031776e96496e6c07f0bdb77dc3fd2a60557"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/threed/CreaturelLabController.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96736, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f2a948c513e0458be0a344cc4851555c5b910b989f376b8db15b6d8a58db1a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/creature/VitaminWidgetTest.java", "duplicate_line": 22, "correlation_key": "fp|0f2a948c513e0458be0a344cc4851555c5b910b989f376b8db15b6d8a58db1a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/tabs/WebTabTest.java"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96735, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5c55ef752d9c3510ed0b6e648cc2270e10948ed11f203c92b47ea01c2d7e9ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/external/OpenSCADExternalEditor.java", "duplicate_line": 34, "correlation_key": "fp|a5c55ef752d9c3510ed0b6e648cc2270e10948ed11f203c92b47ea01c2d7e9ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/external/SceneBuilderExternalEditor.java"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96734, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fafdba3f497f801cbef160af9b3ef8b16dbe909fc957f1d08cb8c5f99a68bde", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/external/OpenSCADExternalEditor.java", "duplicate_line": 35, "correlation_key": "fp|3fafdba3f497f801cbef160af9b3ef8b16dbe909fc957f1d08cb8c5f99a68bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/external/SVGExternalEditor.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96733, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7956b182a1258c456651286f0d3789d497d9359e3231f977415fda09d95261b6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/Terminal.java", "duplicate_line": 176, "correlation_key": "fp|7956b182a1258c456651286f0d3789d497d9359e3231f977415fda09d95261b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/ScriptingWebWidget.java"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96732, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d656baadddedd5713e2e5bc6a2c430698012f245b04ffbaeec6e29c13db97d4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/ScriptingFileWidget.java", "duplicate_line": 371, "correlation_key": "fp|d656baadddedd5713e2e5bc6a2c430698012f245b04ffbaeec6e29c13db97d4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/ScriptingWebWidget.java"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96731, "scanner": "repobility-ai-code-hygiene", "fingerprint": "690072bc7200f1a9288a17a8f85c9e0e8797ee90642474c99b9e5702e7c8d300", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/Terminal.java", "duplicate_line": 176, "correlation_key": "fp|690072bc7200f1a9288a17a8f85c9e0e8797ee90642474c99b9e5702e7c8d300"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/ScriptingFileWidget.java"}, "region": {"startLine": 385}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96730, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a26d307d5ca10f3196e6f30fe716f12ac18bd3a346b8ad27415461a619fb655", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/AskToDeleteWidget.java", "duplicate_line": 20, "correlation_key": "fp|7a26d307d5ca10f3196e6f30fe716f12ac18bd3a346b8ad27415461a619fb655"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/scripting/ScriptingFileWidget.java"}, "region": {"startLine": 285}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96729, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9aa7da4c117570b80eddd3e448e7e835f5708f644c0ef9e4ef3273030c8b5137", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/creature/JogMobileBase.java", "duplicate_line": 180, "correlation_key": "fp|9aa7da4c117570b80eddd3e448e7e835f5708f644c0ef9e4ef3273030c8b5137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/creature/JogWidget.java"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96728, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1ca90b86f613a81cf8775937579c546a0c6f9a5e57fc7ef5ec3e27da3ef2046", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/AddFileToGistController.java", "duplicate_line": 229, "correlation_key": "fp|f1ca90b86f613a81cf8775937579c546a0c6f9a5e57fc7ef5ec3e27da3ef2046"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/NewVitaminWizardController.java"}, "region": {"startLine": 201}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96727, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e6f26a0a7d5a424b066dc481d4b507430741c2fb4f4e50840593c331c59f229", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/AddFileToGistController.java", "duplicate_line": 229, "correlation_key": "fp|4e6f26a0a7d5a424b066dc481d4b507430741c2fb4f4e50840593c331c59f229"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/MakeReleaseController.java"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96726, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6fbbab005c16b1c1e47c006eea84c9cbcae316d8de69a38c47b0b145fb7c2bc1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/com/neuronrobotics/bowlerstudio/AddFileToGistController.java", "duplicate_line": 229, "correlation_key": "fp|6fbbab005c16b1c1e47c006eea84c9cbcae316d8de69a38c47b0b145fb7c2bc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/ConnectionManager.java"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 96720, "scanner": "repobility-threat-engine", "fingerprint": "5c040da58b387fa6027e8f3fb1184b5b1d99ac149379bcf4767548828933f66d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Max Torque exceded, actuator saturates at: \" + maxTorque + \" N*M, tried to set to value: \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5c040da58b387fa6027e8f3fb1184b5b1d99ac149379bcf4767548828933f66d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/pidsim/LinearPhysicsEngine.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 96719, "scanner": "repobility-threat-engine", "fingerprint": "d110e1008cf769077f7c3cf2f5041debca87b5b19065645257025d7dbf9fbea6", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"false start \" + port + \" at baud \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d110e1008cf769077f7c3cf2f5041debca87b5b19065645257025d7dbf9fbea6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/utils/BowlerConnectionMenu.java"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 96718, "scanner": "repobility-threat-engine", "fingerprint": "6a549d386b0d7a2c5346dfa4e39be770e0004c40a233ca0cff6cf1dd634ab648", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" history index = \"\n\t\t\t\t\t\t+ historyIndex + \" history size= \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a549d386b0d7a2c5346dfa4e39be770e0004c40a233ca0cff6cf1dd634ab648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/Terminal.java"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 96724, "scanner": "repobility-threat-engine", "fingerprint": "de0fbce620bfd552c9ba47226b52b58e5302492dc4d0616161949265658a0f93", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de0fbce620bfd552c9ba47226b52b58e5302492dc4d0616161949265658a0f93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/nrconsole/plugin/bootloader/gui/NRBootLoaderApp.java"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 96723, "scanner": "repobility-threat-engine", "fingerprint": "5739a62ec0d942807a5e9bb4006e4933a92cf04bf3e24b167b55d3d2150c899b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5739a62ec0d942807a5e9bb4006e4933a92cf04bf3e24b167b55d3d2150c899b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/tabs/WebTabController.java"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 96722, "scanner": "repobility-threat-engine", "fingerprint": "137e21495337c3034e1f5eac22a98dbe7bc2406f3a5e7bf914b20129e82f0907", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|137e21495337c3034e1f5eac22a98dbe7bc2406f3a5e7bf914b20129e82f0907"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/tabs/WebTab.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 96721, "scanner": "repobility-threat-engine", "fingerprint": "8ec81cb98776ec0abe3591f09fb000a5d55e592460c0bb5ff2e2c64e589a4d19", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8ec81cb98776ec0abe3591f09fb000a5d55e592460c0bb5ff2e2c64e589a4d19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/Tutorial.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 96715, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 96711, "scanner": "repobility-threat-engine", "fingerprint": "c0fdca66c4541227c19efd8060a813cfe82d0a9441c7ae33c992548971272f9d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c0fdca66c4541227c19efd8060a813cfe82d0a9441c7ae33c992548971272f9d", "aggregated_count": 16}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 96710, "scanner": "repobility-threat-engine", "fingerprint": "5a26b6d8f0d01cadd89a2b1c7b738926f1e571914e2fbef987c97f27d16467e8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a26b6d8f0d01cadd89a2b1c7b738926f1e571914e2fbef987c97f27d16467e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/ChangeAssetRepoController.java"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 96709, "scanner": "repobility-threat-engine", "fingerprint": "7528a15adc8f0f3353b6f0d00c62c9834ccf01d2399a6af3528878da88eba96e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7528a15adc8f0f3353b6f0d00c62c9834ccf01d2399a6af3528878da88eba96e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/BowlerStudioMenuWorkspace.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 96708, "scanner": "repobility-threat-engine", "fingerprint": "22acf3d14a850e0c235df74160e58298f0bb8deacf7f30297ded3825444d49bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22acf3d14a850e0c235df74160e58298f0bb8deacf7f30297ded3825444d49bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/AddFileToGistController.java"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 96707, "scanner": "repobility-threat-engine", "fingerprint": "4aa4e187193563a7efae5329505022488815e8b6be4d4be6ac41d267de85cafb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4aa4e187193563a7efae5329505022488815e8b6be4d4be6ac41d267de85cafb", "aggregated_count": 34}}}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 96706, "scanner": "repobility-threat-engine", "fingerprint": "cdb883f09c284afed28aa99b1e122f43a039a4a01acc61037f789886993dfe98", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cdb883f09c284afed28aa99b1e122f43a039a4a01acc61037f789886993dfe98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/BowlerStudioModularFrame.java"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 96705, "scanner": "repobility-threat-engine", "fingerprint": "13d129add2d5c55a2e099d774ef6cf4c06b2cc355c43db425ed99b1fa9416645", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13d129add2d5c55a2e099d774ef6cf4c06b2cc355c43db425ed99b1fa9416645"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/BowlerStudioMenuWorkspace.java"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 96704, "scanner": "repobility-threat-engine", "fingerprint": "a7717aeb58046d7d8035ec5edfd95593c8d4ca31aa7b67aa8457e84da71d089b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7717aeb58046d7d8035ec5edfd95593c8d4ca31aa7b67aa8457e84da71d089b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/AddFileToGistController.java"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96748, "scanner": "repobility-supply-chain", "fingerprint": "59ab6d4b66d299e92dd2ec2eb49088be53bf8aed6c469185c5b90f03d2079ed2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59ab6d4b66d299e92dd2ec2eb49088be53bf8aed6c469185c5b90f03d2079ed2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96747, "scanner": "repobility-supply-chain", "fingerprint": "12aa3deb476508c6a5a922b36a4091ab32f76775d491a9e60ee73ed1d3ab838e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12aa3deb476508c6a5a922b36a4091ab32f76775d491a9e60ee73ed1d3ab838e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-release` pinned to mutable ref `@v1`: `uses: actions/create-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96746, "scanner": "repobility-supply-chain", "fingerprint": "b0d76bce18a3338e3e88cef7b5ff385c72d6270ce1f6c66e14b0779b13bbad13", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0d76bce18a3338e3e88cef7b5ff385c72d6270ce1f6c66e14b0779b13bbad13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v1`: `uses: actions/setup-java@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96745, "scanner": "repobility-supply-chain", "fingerprint": "19dea0eb6037094121df3b9c5223a01a8cbc21ec910b21fdb74d32027c475988", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19dea0eb6037094121df3b9c5223a01a8cbc21ec910b21fdb74d32027c475988"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96744, "scanner": "repobility-supply-chain", "fingerprint": "ae416fcec53c58db09654551908da465579cf1f70ee4aa0cb35183e7e576f933", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae416fcec53c58db09654551908da465579cf1f70ee4aa0cb35183e7e576f933"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v1`: `uses: actions/setup-java@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96743, "scanner": "repobility-supply-chain", "fingerprint": "796019ae6d1a846a249741fffb3b4feccf64271ff6282dea1bea9c6b112e2b8c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|796019ae6d1a846a249741fffb3b4feccf64271ff6282dea1bea9c6b112e2b8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96742, "scanner": "repobility-supply-chain", "fingerprint": "5c3521eb4dc989270c4fd22c5af9a3f414b44409e56fa201db18874531bb7f12", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c3521eb4dc989270c4fd22c5af9a3f414b44409e56fa201db18874531bb7f12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 96717, "scanner": "repobility-threat-engine", "fingerprint": "a80f794115984cbf341b79e1e7b9d2697fe485aaabf26cadb56de017e6c19330", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ConfigurationDatabase.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a80f794115984cbf341b79e1e7b9d2697fe485aaabf26cadb56de017e6c19330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/ChangeAssetRepoController.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 96716, "scanner": "repobility-threat-engine", "fingerprint": "221ea391a1c25c79aa9a351fed3e7607cc97eba42785178e28c2dc4840f8bef4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ConfigurationDatabase.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|221ea391a1c25c79aa9a351fed3e7607cc97eba42785178e28c2dc4840f8bef4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/BowlerStudioMenuWorkspace.java"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 96714, "scanner": "repobility-threat-engine", "fingerprint": "3597d013911386b38f838b769bba6710fd085e5404e98d571a36cc6cda8061bd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(T", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3597d013911386b38f838b769bba6710fd085e5404e98d571a36cc6cda8061bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/tabs/WebTab.java"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 96713, "scanner": "repobility-threat-engine", "fingerprint": "9c0bec545d04438e42b56f01ff373a21628b24ed5f786de565e10a3bb13ec354", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c0bec545d04438e42b56f01ff373a21628b24ed5f786de565e10a3bb13ec354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/creature/VitatminWidget.java"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 96712, "scanner": "repobility-threat-engine", "fingerprint": "9b8130e0aac35231668dc2e3c61fab2d33c0d06e6e344703cf835a0a552f8e50", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9b8130e0aac35231668dc2e3c61fab2d33c0d06e6e344703cf835a0a552f8e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/com/neuronrobotics/bowlerstudio/BowlerStudioMenuWorkspace.java"}, "region": {"startLine": 103}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 96703, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}]}]}