{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: conn.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/384"}, "properties": {"repository": "vasu-devs/JustHireMe", "repoUrl": "https://github.com/vasu-devs/JustHireMe.git", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 12546, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 12545, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 12539, "scanner": "repobility-threat-engine", "fingerprint": "da1f1722f619ec71339fb9584a88838f281714e960cd406c40c994345130a84a", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|83|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/automation/browser_runtime.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 12537, "scanner": "repobility-threat-engine", "fingerprint": "1d6e1791f83014dedac2be5a75bc6436816e5c35f25d240c0fe521d90e475889", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d6e1791f83014dedac2be5a75bc6436816e5c35f25d240c0fe521d90e475889"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/profile/github_ingestor.py"}, "region": {"startLine": 250}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 12536, "scanner": "repobility-threat-engine", "fingerprint": "4c940eb9a3df4c2d35f983ac18a5711b3bbb6218ee5f33587a456bf9922121fd", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c940eb9a3df4c2d35f983ac18a5711b3bbb6218ee5f33587a456bf9922121fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/discovery/quality_gate.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 12535, "scanner": "repobility-threat-engine", "fingerprint": "0ac6c23deeac024ff41603f5c0412c2b6cfdd309863c4d62f9d2b3096b6404f5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0ac6c23deeac024ff41603f5c0412c2b6cfdd309863c4d62f9d2b3096b6404f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/graph/__init__.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 12533, "scanner": "repobility-threat-engine", "fingerprint": "eb010a45b4a3e4158c47780ebf3e2486544fe1e46d2fdd48b276c658fa1e4903", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eb010a45b4a3e4158c47780ebf3e2486544fe1e46d2fdd48b276c658fa1e4903"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/hooks/useDueFollowups.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 12532, "scanner": "repobility-threat-engine", "fingerprint": "837bebdc0f5616c5ba1178de1585f0eb70d96ad7ad0b9e4d325c878b31b653dc", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|837bebdc0f5616c5ba1178de1585f0eb70d96ad7ad0b9e4d325c878b31b653dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/hooks/useLeads.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 12531, "scanner": "repobility-threat-engine", "fingerprint": "3193f2e3c071a766055c215d32dba1dfecd8883e6888dc3b8c048e6d41894b0b", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3193f2e3c071a766055c215d32dba1dfecd8883e6888dc3b8c048e6d41894b0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/src/main.jsx"}, "region": {"startLine": 203}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 12526, "scanner": "repobility-agent-runtime", "fingerprint": "5a95d52ee6f37b2f9cd23336dc531ea095765e647584bbaba5c5b62d84892c14", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|5a95d52ee6f37b2f9cd23336dc531ea095765e647584bbaba5c5b62d84892c14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/src/main.jsx"}, "region": {"startLine": 128}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12525, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0412ea5b7c81883b422819ad20bca5d6d23d99e8654ec9dc4e8eafde57ae571c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "website/api/downloads.js", "duplicate_line": 15, "correlation_key": "fp|0412ea5b7c81883b422819ad20bca5d6d23d99e8654ec9dc4e8eafde57ae571c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/api/views.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12524, "scanner": "repobility-ai-code-hygiene", "fingerprint": "658fe880c629276481c27a06152a7b9bdd5750a7da39c83fa1ddfe1b3bbafed8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/core/taxonomy.py", "duplicate_line": 1, "correlation_key": "fp|658fe880c629276481c27a06152a7b9bdd5750a7da39c83fa1ddfe1b3bbafed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/ranking/taxonomy.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12523, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07bcc7e2cd2bab07cf161342b42c24ad7816e7ac8702647c10b4c657e71ae0d2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/discovery/query_gen.py", "duplicate_line": 66, "correlation_key": "fp|07bcc7e2cd2bab07cf161342b42c24ad7816e7ac8702647c10b4c657e71ae0d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/ranking/scoring_engine.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12522, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dc8201937eddc82fb5160686af2240be363048e71eeea843807de70031ac0018", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/llm.py", "duplicate_line": 1, "correlation_key": "fp|dc8201937eddc82fb5160686af2240be363048e71eeea843807de70031ac0018"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/llm/__init__.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12521, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c130d6ba6c21ee60c6add6fe8a0963066eda4fc498095b2eb4b4fc328fb35a9c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/api/routers/misc.py", "duplicate_line": 38, "correlation_key": "fp|c130d6ba6c21ee60c6add6fe8a0963066eda4fc498095b2eb4b4fc328fb35a9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/graph_service/stats.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12520, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d715e85cdece553215a1f3d406da776907cc3f2a543fe718fec2c7ea830706f6", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/api/routers/misc.py", "duplicate_line": 76, "correlation_key": "fp|d715e85cdece553215a1f3d406da776907cc3f2a543fe718fec2c7ea830706f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/graph_service/helpers.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12519, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a66ac3eb560ff5312da63b09b00d5e2886edebce58dfacfc97ecc7e0a971aad0", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/automation/scout.py", "duplicate_line": 298, "correlation_key": "fp|a66ac3eb560ff5312da63b09b00d5e2886edebce58dfacfc97ecc7e0a971aad0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/discovery/sources/web.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12518, "scanner": "repobility-ai-code-hygiene", "fingerprint": "beec25e52360b4468ecd297389f22f079979fc1668b68e5f16c22f912e9c8089", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/automation/free_scout.py", "duplicate_line": 117, "correlation_key": "fp|beec25e52360b4468ecd297389f22f079979fc1668b68e5f16c22f912e9c8089"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/discovery/sources/common.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12517, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc04dcd34a2c73d0283570e26776215d709e2f5a1b0ea5bf8281a5256f7899ec", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/automation/scout.py", "duplicate_line": 143, "correlation_key": "fp|cc04dcd34a2c73d0283570e26776215d709e2f5a1b0ea5bf8281a5256f7899ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/discovery/normalizer.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12516, "scanner": "repobility-ai-code-hygiene", "fingerprint": "29cecba6aa1b00537187d0bb5bb313737c7873e5380959c14654f3372aa3677a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/automation/lead_store.py", "duplicate_line": 10, "correlation_key": "fp|29cecba6aa1b00537187d0bb5bb313737c7873e5380959c14654f3372aa3677a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/db/client.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12515, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3cdd3ab0bb3220f93bd7d045e3aa280f6b2dce550f0c4a89c9d1700047fd9b39", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/api/routers/misc.py", "duplicate_line": 147, "correlation_key": "fp|3cdd3ab0bb3220f93bd7d045e3aa280f6b2dce550f0c4a89c9d1700047fd9b39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/data/graph/profile.py"}, "region": {"startLine": 372}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12514, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55f0aaadd3c3645ad5acfa26addeadae96db36f00550145aecb16d8e68dc7575", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/automation/free_scout.py", "duplicate_line": 81, "correlation_key": "fp|55f0aaadd3c3645ad5acfa26addeadae96db36f00550145aecb16d8e68dc7575"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/automation/scout.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 12547, "scanner": "repobility-web-presence", "fingerprint": "c67620de0294f485af210951ec8cdaa381172ad311fc4860919e69dc6670e099", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|c67620de0294f485af210951ec8cdaa381172ad311fc4860919e69dc6670e099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 12544, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 12543, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 12542, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 12527, "scanner": "repobility-threat-engine", "fingerprint": "4c319cfbbdf486a6cb80d4fe83f1039184e496e77d92367b342cd0f5dbb0ebcd", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|src/main.tsx|14|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 12538, "scanner": "repobility-threat-engine", "fingerprint": "cca975ead63d0b44a5ea7b8f543ba28bf3e6d706e9ea67693344f74cdd022f58", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cca975ead63d0b44a5ea7b8f543ba28bf3e6d706e9ea67693344f74cdd022f58"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 12534, "scanner": "repobility-threat-engine", "fingerprint": "60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 12530, "scanner": "repobility-threat-engine", "fingerprint": "b8b0e54f1519a3984e50da6220cb2a771202a34669a5f1a403fd913cd542522d", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|src/shared/hooks/usews.ts|114|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/hooks/useWS.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 12529, "scanner": "repobility-threat-engine", "fingerprint": "77457ab8bb8d759e15e0970977faa8fbe490f19c00a5ae81d74c00aa07061cfd", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|designs/justhireme remix /src/profile.jsx|13|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Designs/JustHireMe (Remix)/src/profile.jsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 12528, "scanner": "repobility-threat-engine", "fingerprint": "486227131b1e4bae5532da2d110f63c8f83c86427022aa0e8da7f57bcc817890", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'crypto' detected on same line", "evidence": {"match": "Math.random()", "reason": "Safe pattern 'crypto' detected on same line", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|website/src/main.jsx|127|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/src/main.jsx"}, "region": {"startLine": 127}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 12541, "scanner": "repobility-journey-contract", "fingerprint": "f2ebde9940089b3a7908e1ab67346a53bbb0bd5c8359669ae4d6d2ca256dfc96", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|297|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/components/OnboardingWizard.tsx"}, "region": {"startLine": 297}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 12540, "scanner": "repobility-threat-engine", "fingerprint": "32a57fae56e6c513b9d34d1f9fe192314008e58826949a2db004e773941b612e", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".execute(\n            f\"SELECT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|162|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/data/sqlite/leads.py"}, "region": {"startLine": 162}}}]}]}]}