{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/438"}, "properties": {"repository": "x-stream/xstream", "repoUrl": "https://github.com/x-stream/xstream.git", "branch": "master"}, "results": [{"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22678, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c859368f407db93d206d9a1c834c38592299050552287c3fc0c7691804835f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Writer.java", "duplicate_line": 28, "correlation_key": "fp|7c859368f407db93d206d9a1c834c38592299050552287c3fc0c7691804835f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/io/xml/JDomWriter.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22677, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25987536cae098c3a1060a705a24a7eab2ff24ff9ba604f972a2e47586a8f2c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Reader.java", "duplicate_line": 19, "correlation_key": "fp|25987536cae098c3a1060a705a24a7eab2ff24ff9ba604f972a2e47586a8f2c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/io/xml/JDomReader.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22676, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0fc3a8325674fd7c4fb58db7f909a58943d5557892d03d2ed3bef144ce6aef58", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java", "duplicate_line": 61, "correlation_key": "fp|0fc3a8325674fd7c4fb58db7f909a58943d5557892d03d2ed3bef144ce6aef58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22675, "scanner": "repobility-ai-code-hygiene", "fingerprint": "051077598399f27c17e7fd6d213234122d283fddbc15afe5a812cbd6160ed8e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/io/xml/AbstractXppDomDriver.java", "duplicate_line": 29, "correlation_key": "fp|051077598399f27c17e7fd6d213234122d283fddbc15afe5a812cbd6160ed8e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/io/xml/AbstractXppDriver.java"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22674, "scanner": "repobility-ai-code-hygiene", "fingerprint": "67d7482fd27813c7190173db76192235a166950c63dd95e222680f9ad94306da", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/core/TreeMarshaller.java", "duplicate_line": 63, "correlation_key": "fp|67d7482fd27813c7190173db76192235a166950c63dd95e222680f9ad94306da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22673, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa2ed4e54c11a5cd01a5dd865fe72ea9c73ccdd15e99841fd768cbb68a370f07", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/reflection/AbstractReflectionConverter.java", "duplicate_line": 53, "correlation_key": "fp|fa2ed4e54c11a5cd01a5dd865fe72ea9c73ccdd15e99841fd768cbb68a370f07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/reflection/ExternalizableConverter.java"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22672, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be16a1c0044eaaed50a1c74ab19424f9f57e6e112e5e09f6c55f8953f3583581", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalDoubleConverter.java", "duplicate_line": 14, "correlation_key": "fp|be16a1c0044eaaed50a1c74ab19424f9f57e6e112e5e09f6c55f8953f3583581"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalLongConverter.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22671, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea0c1f316fd106f7dc62e3f3998ddf2c0683dbfa05ec8009cb403d78db01392e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/AtomicBooleanConverter.java", "duplicate_line": 16, "correlation_key": "fp|ea0c1f316fd106f7dc62e3f3998ddf2c0683dbfa05ec8009cb403d78db01392e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalLongConverter.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22670, "scanner": "repobility-ai-code-hygiene", "fingerprint": "841abc87f68cc534ec9e1e5a67abf9b162a045453a1c80fef7866f1878e00230", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalDoubleConverter.java", "duplicate_line": 14, "correlation_key": "fp|841abc87f68cc534ec9e1e5a67abf9b162a045453a1c80fef7866f1878e00230"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalIntConverter.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22669, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2680ee5dad694537d56de34a46010577e5c936268d887c7518ddcb27b57a1a8f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/AtomicBooleanConverter.java", "duplicate_line": 16, "correlation_key": "fp|2680ee5dad694537d56de34a46010577e5c936268d887c7518ddcb27b57a1a8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalIntConverter.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22668, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b2bc889fb07de6c7151b53b8427441e07cb03b351a879564212c5a54ce49d9a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/AtomicBooleanConverter.java", "duplicate_line": 16, "correlation_key": "fp|0b2bc889fb07de6c7151b53b8427441e07cb03b351a879564212c5a54ce49d9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/extended/OptionalDoubleConverter.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22667, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f83b3b3ceb7073d01ddcd0a33774ee1a571c35e08979df3359d8514df6305452", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedCollectionConverter.java", "duplicate_line": 32, "correlation_key": "fp|f83b3b3ceb7073d01ddcd0a33774ee1a571c35e08979df3359d8514df6305452"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java"}, "region": {"startLine": 195}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22666, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce6d469659df706867e810b1124274766987bf53c37e4fde9c135fb606ec3deb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/AtomicBooleanConverter.java", "duplicate_line": 16, "correlation_key": "fp|ce6d469659df706867e810b1124274766987bf53c37e4fde9c135fb606ec3deb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/extended/AtomicLongConverter.java"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22665, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30dd2aaab2207f69d810b97158cf80f80d7e5b0e8a52d81b1c58eb1eefe75286", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/AtomicBooleanConverter.java", "duplicate_line": 16, "correlation_key": "fp|30dd2aaab2207f69d810b97158cf80f80d7e5b0e8a52d81b1c58eb1eefe75286"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/extended/AtomicIntegerConverter.java"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22664, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9da80e45d9f2ee65215045b0b280c1c6ddacfbe6b37321e6a87ba9de1ae3fd03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "xstream/src/java/com/thoughtworks/xstream/converters/extended/ActivationDataFlavorConverter.java", "duplicate_line": 25, "correlation_key": "fp|9da80e45d9f2ee65215045b0b280c1c6ddacfbe6b37321e6a87ba9de1ae3fd03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/extended/ActivationDataFlavorJakartaConverter.java"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 22679, "scanner": "repobility-threat-engine", "fingerprint": "184983d11a17f5269521047ac5eb64bf4859095e36065045058a0c529d6e60c1", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|230|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/Base64Benchmark.java"}, "region": {"startLine": 230}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 22683, "scanner": "repobility-threat-engine", "fingerprint": "5bd09503ff9fcda64623b912f8eb9bd35fb390150df9d09e4bc69ebdf1d64ac9", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SAXBuilder()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5bd09503ff9fcda64623b912f8eb9bd35fb390150df9d09e4bc69ebdf1d64ac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 22682, "scanner": "repobility-threat-engine", "fingerprint": "01817abd33473c09b5cebed55dbfaa9411003731c6b58f42dd480e7a89ef3eda", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SAXBuilder()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|01817abd33473c09b5cebed55dbfaa9411003731c6b58f42dd480e7a89ef3eda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 22681, "scanner": "repobility-threat-engine", "fingerprint": "745f7615b5a1f45cc99e5d110e7924826f4addc9a1255367511016274fcca48d", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|745f7615b5a1f45cc99e5d110e7924826f4addc9a1255367511016274fcca48d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22680, "scanner": "repobility-threat-engine", "fingerprint": "df96a23b6f2552d7468f1ca9a195c8667d1703f7799bbbd23c5a31b56c61d047", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df96a23b6f2552d7468f1ca9a195c8667d1703f7799bbbd23c5a31b56c61d047"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "xstream/src/java/com/thoughtworks/xstream/converters/basic/URLConverter.java"}, "region": {"startLine": 35}}}]}]}]}