{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED092", "name": "[MINED092] Java Runtime Exec (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED092] Java Runtime Exec (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED010", "name": "[MINED010] Ruby System Call (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED010] Ruby System Call (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 32 more): Same pattern found in 32 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.", "shortDescription": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default (and 1 more): Same pattern found in 1 additional files. Review ", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED086", "name": "[MINED086] Kotlin Runtime Exception (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED086] Kotlin Runtime Exception (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 136 more): Same pattern found in 136 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 136 more): Same pattern found in 136 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED011", "name": "[MINED011] Scala Get On Option (and 79 more): Same pattern found in 79 additional files. Review if needed.", "shortDescription": {"text": "[MINED011] Scala Get On Option (and 79 more): Same pattern found in 79 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 145 more): Same pattern found in 145 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 145 more): Same pattern found in 145 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 60 more): Same pattern found in 60 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 60 more): Same pattern found in 60 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED085] Java Systemexit (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 10 more): Same pattern found in 10 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `.teamcity/.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.teamcity/.mvn/wrapper/mave", "shortDescription": {"text": "[MINED134] Binary file `.teamcity/.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.teamcity/.mvn/wrapper/maven-wrapper.jar` is a .jar binary (50,710 bytes) committed to a repo that otherwise has 12989 source files. Trojan binarie"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `lycheeverse/lychee-action` pinned to mutable ref `@v2.8.0`: `uses: lycheeverse/lychee-action@v2.8.0` ", "shortDescription": {"text": "[MINED115] Action `lycheeverse/lychee-action` pinned to mutable ref `@v2.8.0`: `uses: lycheeverse/lychee-action@v2.8.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-"}, "fullDescription": {"text": "Replace with: `uses: lycheeverse/lychee-action@<40-char-sha>  # v2.8.0` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.DEVELOCITY_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_re", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.DEVELOCITY_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DEVELOCITY_ACCESS_KEY }` lets a PR from any fork exfil"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC101", "name": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes int", "shortDescription": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "fullDescription": {"text": "Avoid native Java serialization entirely. Use JSON (Jackson with default-typing OFF) or a length-limited Protobuf. If you must, set up a SerialKiller / lookahead-deserializer with a class allowlist."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED005", "name": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection.", "shortDescription": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1340"}, "properties": {"repository": "gradle/gradle", "repoUrl": "https://github.com/gradle/gradle", "branch": "master"}, "results": [{"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 136905, "scanner": "repobility-agent-runtime", "fingerprint": "998c7fcab315a88f5e8dfb5e228f9d52d445f363f05e80f7185acf1dbaf2880d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|998c7fcab315a88f5e8dfb5e228f9d52d445f363f05e80f7185acf1dbaf2880d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/docs/userguide/js/theme.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 136901, "scanner": "repobility-threat-engine", "fingerprint": "61888d01efad656813ea4d2a8d2108c14f79235f577aa6c873e70306582e7283", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(ex: UnknownDomainObjectException) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61888d01efad656813ea4d2a8d2108c14f79235f577aa6c873e70306582e7283"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/kotlin-dsl-integ-tests/src/crossVersionTest/groovy/org/gradle/kotlin/dsl/plugins/ProjectTheExtensionCrossVersionSpec.groovy"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 136900, "scanner": "repobility-threat-engine", "fingerprint": "d2f175366d113ca2c71cd29e408cdb797791c3693d7084bf27064e14d2faeb2c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "// TODO: Write the", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d2f175366d113ca2c71cd29e408cdb797791c3693d7084bf27064e14d2faeb2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/dependency-management-serialization-codecs/src/main/kotlin/org/gradle/internal/serialize/codecs/dm/transform/TransformedArtifactCodec.kt"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 136887, "scanner": "repobility-threat-engine", "fingerprint": "7c3e947693122ddb51f8b3cddfc874c9946b30224dbac1dbeb92d335a9e276d2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c3e947693122ddb51f8b3cddfc874c9946b30224dbac1dbeb92d335a9e276d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/ConfigurationCacheEnablementIntegrationTest.groovy"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 136847, "scanner": "repobility-threat-engine", "fingerprint": "32811b87f1f71e91d4f954251a40df8e8b25597e8b849afe9a82b39372ed6a8e", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|217|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/file-operations/src/main/java/org/gradle/api/internal/file/archive/TarFileTree.java"}, "region": {"startLine": 217}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 136846, "scanner": "repobility-threat-engine", "fingerprint": "b4e958645d1b69e1687ff5fb197cc481f43205cf826c5921e516c07de5279a05", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "zipEntry.name", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|50|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/transforms/ExplodeZipAndFindJars.groovy"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 136845, "scanner": "repobility-threat-engine", "fingerprint": "0d3a26664ddc5a2e019c550c27107be7f315b863a650382fe96fd9be4f0dd448", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "zipEntry.name", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|138|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-commons/basics/src/main/kotlin/gradlebuild/basics/tasks/PackageListGenerator.kt"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 136827, "scanner": "repobility-threat-engine", "fingerprint": "2ea209bf612aa820b29c7b7febad24eff88b3a8ca0a8885757cd2e977b953d1c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|92|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/FindCommits.java"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 136826, "scanner": "repobility-threat-engine", "fingerprint": "36a3a5cd9069c6f99a61d56a19349e0789b236464faac70740d775b676690472", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|109|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/CheckWrapper.java"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 136825, "scanner": "repobility-threat-engine", "fingerprint": "b980099245733ca6d400680611d5229fa7e3110e1464d33ab5a7ce27a8bc3a91", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|173|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/CheckBadMerge.java"}, "region": {"startLine": 173}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136904, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a3661e886731ff037e947b464797b9e76b94b42dd0ef02184e74f95524d0483", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".teamcity/src/main/kotlin/promotion/PublishRelease.kt", "duplicate_line": 23, "correlation_key": "fp|7a3661e886731ff037e947b464797b9e76b94b42dd0ef02184e74f95524d0483"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/src/main/kotlin/promotion/StartReleaseCycle.kt"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 136816, "scanner": "repobility-threat-engine", "fingerprint": "37f8eec2bb0ff98dc055413be6058e89a35c51cbd074e0b445b307156367f037", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Bad wrapper version \" + wrapperVersion + \" used in commit \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|37f8eec2bb0ff98dc055413be6058e89a35c51cbd074e0b445b307156367f037"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/CheckWrapper.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 136815, "scanner": "repobility-threat-engine", "fingerprint": "caff42c417ca44c3945ab6a3de5dcffb9795125180319ed51a0a7f115391c671", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Found bad files in merge commit \" + commit + \", run the listed commands:\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|caff42c417ca44c3945ab6a3de5dcffb9795125180319ed51a0a7f115391c671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/CheckBadMerge.java"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 136814, "scanner": "repobility-threat-engine", "fingerprint": "a9f361c4c564fef0f6090f2e2858add6e9ca364be6eee37cd90a05cbe5ff1338", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/\"\n        + WRAPPER_VERSION + \"/maven-", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a9f361c4c564fef0f6090f2e2858add6e9ca364be6eee37cd90a05cbe5ff1338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/.mvn/wrapper/MavenWrapperDownloader.java"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 136903, "scanner": "repobility-threat-engine", "fingerprint": "6c14b03ac3873c1fbd0fc777318aa0249105764475832837dd1b094f3039051b", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|31|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/kotlin-dsl/src/integTest/kotlin/org/gradle/kotlin/dsl/compile/AbstractCompileAvoidanceIntegrationTest.kt"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 136902, "scanner": "repobility-threat-engine", "fingerprint": "c96ef5ca39f8f0fe0b08b00797ee5e64b79086a4ba9ef8aec1a39650bf209898", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c96ef5ca39f8f0fe0b08b00797ee5e64b79086a4ba9ef8aec1a39650bf209898"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/kotlin-dsl-integ-tests/src/integTest/kotlin/org/gradle/kotlin/dsl/integration/SkipMetadataVersionCheckTest.kt"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 136899, "scanner": "repobility-threat-engine", "fingerprint": "c500235c2c10d9a6a568768149b5de837f8447c5d3c169a83f21d0571ab8f975", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c500235c2c10d9a6a568768149b5de837f8447c5d3c169a83f21d0571ab8f975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/isolated/IsolatedProjectsToolingApiParallelConfigurationIntegrationTest.groovy"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 136898, "scanner": "repobility-threat-engine", "fingerprint": "722c59e99261f20dc284fc4d75c6d79443063580ac0828f00469b2439b988b0f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|722c59e99261f20dc284fc4d75c6d79443063580ac0828f00469b2439b988b0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/isolated/IsolatedProjectsParallelConfigurationIntegrationTest.groovy"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 136897, "scanner": "repobility-threat-engine", "fingerprint": "e01b6c3a45d011ce7e466322117ea460364ae6da7df30b486e89b87e818be666", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e01b6c3a45d011ce7e466322117ea460364ae6da7df30b486e89b87e818be666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/isolated/IsolatedProjectsCompositeBuildParallelConfigurationIntegrationTest.groovy"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 136896, "scanner": "repobility-threat-engine", "fingerprint": "21154244876b2115e23508d1d3546c3b1fa2a2a13f4dce4050efa400c886a95d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|21154244876b2115e23508d1d3546c3b1fa2a2a13f4dce4050efa400c886a95d", "aggregated_count": 3}}}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 136895, "scanner": "repobility-threat-engine", "fingerprint": "8e9c47487f6b3f5bf1a2e1ffc021d791cf907ac9e71ee638aae714be89c03fee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e9c47487f6b3f5bf1a2e1ffc021d791cf907ac9e71ee638aae714be89c03fee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/inputs/process/instrument/ProcessInstrumentationInStaticGroovyIntegrationTest.groovy"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 136894, "scanner": "repobility-threat-engine", "fingerprint": "b0700497f175431992833e7057fedd24d61468094f6c6669481d422512cf7385", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0700497f175431992833e7057fedd24d61468094f6c6669481d422512cf7385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/inputs/process/instrument/ProcessInstrumentationInKotlinIntegrationTest.groovy"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 136893, "scanner": "repobility-threat-engine", "fingerprint": "a34426a2a117c22d3dad665339f37997eb6e21be6cc864c4ba91bc19f33dc080", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a34426a2a117c22d3dad665339f37997eb6e21be6cc864c4ba91bc19f33dc080"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/inputs/process/instrument/ProcessInstrumentationInJavaIntegrationTest.groovy"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED010", "level": "none", "message": {"text": "[MINED010] Ruby System Call (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 136892, "scanner": "repobility-threat-engine", "fingerprint": "9c436aac041adc9f816d7867c7b7d82eeafd6cf489d0b353acb6880982016b93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9c436aac041adc9f816d7867c7b7d82eeafd6cf489d0b353acb6880982016b93", "aggregated_count": 7}}}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 136888, "scanner": "repobility-threat-engine", "fingerprint": "646efeb33971ed9e2a8e2012e21edda1e314dde81c1dc6d8bcffa8758cd61590", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|646efeb33971ed9e2a8e2012e21edda1e314dde81c1dc6d8bcffa8758cd61590"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/ConfigurationCacheEnablementIntegrationTest.groovy"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 136884, "scanner": "repobility-threat-engine", "fingerprint": "fabab953c09a7e5202d50fcd14c19274236e487c8ae289e221b954b94aa9b883", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fabab953c09a7e5202d50fcd14c19274236e487c8ae289e221b954b94aa9b883"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/kotlin-dsl/src/main/kotlin/org/gradle/kotlin/dsl/resolver/ResolverEventLogger.kt"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 136883, "scanner": "repobility-threat-engine", "fingerprint": "9fb1d80fdc474a316acfd33ad4f7fa6474184f8f93b95368c72cba1ff75ec6c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9fb1d80fdc474a316acfd33ad4f7fa6474184f8f93b95368c72cba1ff75ec6c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/documentation/src/main/groovy/gradlebuild/docs/dsl/source/GenerateApiMapping.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "properties": {"repobilityId": 136879, "scanner": "repobility-threat-engine", "fingerprint": "62000d257fb045d0b197c75562c02a591e1fa59e97f0c2640bf74e1047aa2ced", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|62000d257fb045d0b197c75562c02a591e1fa59e97f0c2640bf74e1047aa2ced"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 136875, "scanner": "repobility-threat-engine", "fingerprint": "a547ec7f64cd927e818113a40201fb2921c617c361c3f7921b31b1192279b8dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a547ec7f64cd927e818113a40201fb2921c617c361c3f7921b31b1192279b8dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/cleanup/src/main/java/gradlebuild/cleanup/services/KillLeakingJavaProcesses.java"}, "region": {"startLine": 261}}}]}, {"ruleId": "SEC024", "level": "none", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 136874, "scanner": "repobility-threat-engine", "fingerprint": "65c7efc380d7289c4ccf2845ebe55a22f6b35f73efe9ab03bdf50da756a05703", "category": "xxe", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|65c7efc380d7289c4ccf2845ebe55a22f6b35f73efe9ab03bdf50da756a05703"}}}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 136870, "scanner": "repobility-threat-engine", "fingerprint": "121632e8b8cfdea7e6b35934891afdb3be7684a619bd9d5c8619ad7f9e7dbfa3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|121632e8b8cfdea7e6b35934891afdb3be7684a619bd9d5c8619ad7f9e7dbfa3", "aggregated_count": 8}}}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 136869, "scanner": "repobility-threat-engine", "fingerprint": "0e7faf0105272963846b1d2e4a676bdd3bf24eab505c13eba19125cc3892c9aa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e7faf0105272963846b1d2e4a676bdd3bf24eab505c13eba19125cc3892c9aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/build-update-utils/src/main/kotlin/gradlebuild/buildutils/tasks/UpdateFixedIssuesInReleaseNotes.kt"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 136868, "scanner": "repobility-threat-engine", "fingerprint": "7b992f8f58e0879f269d722b37b2d220a044aab1a492c6261a0d59ea3011cb68", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b992f8f58e0879f269d722b37b2d220a044aab1a492c6261a0d59ea3011cb68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/build-update-utils/src/main/kotlin/gradlebuild/buildutils/tasks/PreparePatchRelease.kt"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 136867, "scanner": "repobility-threat-engine", "fingerprint": "30f2dbc816e41c7f4593b24cf4848df866621ce853138d101754c296ee0054ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30f2dbc816e41c7f4593b24cf4848df866621ce853138d101754c296ee0054ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/build-update-utils/src/main/kotlin/gradlebuild/buildutils/tasks/AbstractCheckOrUpdateContributorsInReleaseNotes.kt"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 136866, "scanner": "repobility-threat-engine", "fingerprint": "7942a33588f40c8b0f3360564e5de1da005ee3775f1b69fc147f155d7c5d675e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7942a33588f40c8b0f3360564e5de1da005ee3775f1b69fc147f155d7c5d675e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/rules/KotlinModifiersBreakingChangeRule.groovy"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 136865, "scanner": "repobility-threat-engine", "fingerprint": "1d2cc487bb12f21e98e88a0125da47f40bb540a44c5fdae63587307397c40d80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1d2cc487bb12f21e98e88a0125da47f40bb540a44c5fdae63587307397c40d80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/rules/AbstractSuperClassChangesRule.groovy"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 136 more): Same pattern found in 136 additional files. Review if needed."}, "properties": {"repobilityId": 136864, "scanner": "repobility-threat-engine", "fingerprint": "746e0538522792aac11bb5f2818792fbd09a56e65e06c1d64631fe5d0b9245fc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 136 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|746e0538522792aac11bb5f2818792fbd09a56e65e06c1d64631fe5d0b9245fc", "aggregated_count": 136}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 136863, "scanner": "repobility-threat-engine", "fingerprint": "d498b809a232fb60a5480b5d30e6e97861932be500285ab8d07104e57a8435c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d498b809a232fb60a5480b5d30e6e97861932be500285ab8d07104e57a8435c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/transforms/FindGradleClasspath.groovy"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 136862, "scanner": "repobility-threat-engine", "fingerprint": "65cc64f86719e89a1d0d0dcef6ab944b4a68c188aa2baa61dfe32cb82580073b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65cc64f86719e89a1d0d0dcef6ab944b4a68c188aa2baa61dfe32cb82580073b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/transforms/ExplodeZipAndFindJars.groovy"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 136861, "scanner": "repobility-threat-engine", "fingerprint": "29cb9ff752db81c3f7d184bd064308c5a5b59a7826288984f6937004d51b36fe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|29cb9ff752db81c3f7d184bd064308c5a5b59a7826288984f6937004d51b36fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/CleanAcceptedApiChanges.groovy"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED011", "level": "none", "message": {"text": "[MINED011] Scala Get On Option (and 79 more): Same pattern found in 79 additional files. Review if needed."}, "properties": {"repobilityId": 136860, "scanner": "repobility-threat-engine", "fingerprint": "9c3041c6a8c9bdebce416bb260d1245a1c8771eb75c83e812e5d03a85dc0fdce", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 79 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9c3041c6a8c9bdebce416bb260d1245a1c8771eb75c83e812e5d03a85dc0fdce", "aggregated_count": 79}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 145 more): Same pattern found in 145 additional files. Review if needed."}, "properties": {"repobilityId": 136856, "scanner": "repobility-threat-engine", "fingerprint": "0c5c86ec5484b438e62a1cd86c37d5cd642a5ba282265033018de604fd70e558", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 145 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c5c86ec5484b438e62a1cd86c37d5cd642a5ba282265033018de604fd70e558", "aggregated_count": 145}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 136855, "scanner": "repobility-threat-engine", "fingerprint": "8147c2d7e0a9831b8dc08f354311ab26acd80c7617fe57ff8800101f839995b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8147c2d7e0a9831b8dc08f354311ab26acd80c7617fe57ff8800101f839995b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/AcceptedApiChanges.groovy"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 136854, "scanner": "repobility-threat-engine", "fingerprint": "0337268a301d732662b42bd3c18e68c2bdbbcbab145c14570aa364e9af520b57", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0337268a301d732662b42bd3c18e68c2bdbbcbab145c14570aa364e9af520b57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/AcceptedApiChange.groovy"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 136853, "scanner": "repobility-threat-engine", "fingerprint": "f07aa750d1a8e2c4d5c0948525d33e15cf58e4777d148361c6f1c068d46646a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f07aa750d1a8e2c4d5c0948525d33e15cf58e4777d148361c6f1c068d46646a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/EnrichedReportRenderer.groovy"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 136852, "scanner": "repobility-threat-engine", "fingerprint": "cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "aggregated_count": 5}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136851, "scanner": "repobility-threat-engine", "fingerprint": "a5dfdf7304f15f003ca081571f3fe739efd3940781d99e8383de67c845a1b00e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5dfdf7304f15f003ca081571f3fe739efd3940781d99e8383de67c845a1b00e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/build-update-utils/src/main/kotlin/gradlebuild/buildutils/tasks/AbstractVersionsUpdateTask.kt"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136850, "scanner": "repobility-threat-engine", "fingerprint": "e7ef3f21bba0b2448922141f1883d23f760cb8d660375aca56f13a08dad1b2ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7ef3f21bba0b2448922141f1883d23f760cb8d660375aca56f13a08dad1b2ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-commons/publishing/src/main/kotlin/gradlebuild.publish-defaults.gradle.kts"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136849, "scanner": "repobility-threat-engine", "fingerprint": "bb86012c2ac7585476d05378aad96ea6a35448bb74d1e29df5f3d00de164acfb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb86012c2ac7585476d05378aad96ea6a35448bb74d1e29df5f3d00de164acfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-commons/publishing/src/main/kotlin/gradlebuild.kotlin-dsl-plugin-bundle.gradle.kts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC012", "level": "none", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 136848, "scanner": "repobility-threat-engine", "fingerprint": "f21d8f84b5b8fd967ff0c5e2e1c3fb58bbdee23dfc12821fdafc6666b2cd3f87", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f21d8f84b5b8fd967ff0c5e2e1c3fb58bbdee23dfc12821fdafc6666b2cd3f87"}}}, {"ruleId": "MINED029", "level": "none", "message": {"text": "[MINED029] Kotlin Null Bang (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 136844, "scanner": "repobility-threat-engine", "fingerprint": "50b1075d3d60afc50a2ab923418d2eb3949c3c72a120a98bd84658eb92f69892", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|50b1075d3d60afc50a2ab923418d2eb3949c3c72a120a98bd84658eb92f69892", "aggregated_count": 15}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 60 more): Same pattern found in 60 additional files. Review if needed."}, "properties": {"repobilityId": 136840, "scanner": "repobility-threat-engine", "fingerprint": "7e31f64557980a23eb2d51e475ff4bb3d1c714ac6a333cd26247dba3446ec752", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 60 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 60 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7e31f64557980a23eb2d51e475ff4bb3d1c714ac6a333cd26247dba3446ec752"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 136836, "scanner": "repobility-threat-engine", "fingerprint": "58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "aggregated_count": 2}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 136832, "scanner": "repobility-threat-engine", "fingerprint": "5523e60b1dc8a944defadff18fd27285ca7823b9184972b5126e133bf66244aa", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5523e60b1dc8a944defadff18fd27285ca7823b9184972b5126e133bf66244aa"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 136828, "scanner": "repobility-threat-engine", "fingerprint": "69b8d1ab6ebdf0e67a4943a9d246df28ccefb397d7d029799319621fefe41b25", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|69b8d1ab6ebdf0e67a4943a9d246df28ccefb397d7d029799319621fefe41b25"}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 136824, "scanner": "repobility-threat-engine", "fingerprint": "4c0c59912ae94ed97638dc8a95d2e1d4da95bd5284d8f8537a979defda9c50d4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4c0c59912ae94ed97638dc8a95d2e1d4da95bd5284d8f8537a979defda9c50d4", "aggregated_count": 2}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 136823, "scanner": "repobility-threat-engine", "fingerprint": "dd0c1ec1cfa3833907670c4d7108f03e8ee7ebba65845192a19941cb90a1000c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd0c1ec1cfa3833907670c4d7108f03e8ee7ebba65845192a19941cb90a1000c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/CheckRemoteProjectRef.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 136822, "scanner": "repobility-threat-engine", "fingerprint": "55ef3120f039db09ef6bc248696bcec701e40ad07a4a74b9f09cee7c8bd17414", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55ef3120f039db09ef6bc248696bcec701e40ad07a4a74b9f09cee7c8bd17414"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/CheckBadMerge.java"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 136821, "scanner": "repobility-threat-engine", "fingerprint": "829dbc0b33f90c31735158942318c0051ad129275a3a88b0b5490d3cb7ae22e6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|829dbc0b33f90c31735158942318c0051ad129275a3a88b0b5490d3cb7ae22e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/.mvn/wrapper/MavenWrapperDownloader.java"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 136820, "scanner": "repobility-threat-engine", "fingerprint": "1f09d680f7bbf12211cd24cd81a29fb5b9e85a574bbc05f68e3170f5d4416693", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f09d680f7bbf12211cd24cd81a29fb5b9e85a574bbc05f68e3170f5d4416693"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/performance-testing/src/main/groovy/gradlebuild/performance/generator/MavenJarCreator.groovy"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 136819, "scanner": "repobility-threat-engine", "fingerprint": "dde190832331d3d2281fbf538b99902913b89e46d1a1b83847bcc685ccfad1d5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dde190832331d3d2281fbf538b99902913b89e46d1a1b83847bcc685ccfad1d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/cleanup/src/main/java/gradlebuild/cleanup/services/KillLeakingJavaProcesses.java"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 136818, "scanner": "repobility-threat-engine", "fingerprint": "fbccd1beb5625e83674f47a40a8d116c653f48fa484f9fca6205c490bad733f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fbccd1beb5625e83674f47a40a8d116c653f48fa484f9fca6205c490bad733f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/.mvn/wrapper/MavenWrapperDownloader.java"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 136817, "scanner": "repobility-threat-engine", "fingerprint": "8f982bc0d0872c1bd9a84e8d95e8cdce33d25577464dd9a83b32709d7d282ef9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f982bc0d0872c1bd9a84e8d95e8cdce33d25577464dd9a83b32709d7d282ef9"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 136813, "scanner": "repobility-threat-engine", "fingerprint": "0f70dcb830f007110a79342e3f81eda77503ccc94f6c49e7c60c391ea17cb0cb", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0f70dcb830f007110a79342e3f81eda77503ccc94f6c49e7c60c391ea17cb0cb"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `.teamcity/.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.teamcity/.mvn/wrapper/maven-wrapper.jar` is a .jar binary (50,710 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 136952, "scanner": "repobility-supply-chain", "fingerprint": "b79eb9ac230d9e01adc1e0c9ffef4928a915e82ac471b82362fb6dd4d9731ae4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b79eb9ac230d9e01adc1e0c9ffef4928a915e82ac471b82362fb6dd4d9731ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/.mvn/wrapper/maven-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 136951, "scanner": "repobility-supply-chain", "fingerprint": "d29a077e212720566571dcae9567932f3316244e0787ae876dab20aea8677704", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d29a077e212720566571dcae9567932f3316244e0787ae876dab20aea8677704"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-no"}, "properties": {"repobilityId": 136950, "scanner": "repobility-supply-chain", "fingerprint": "e239571f316e5328d7df5c8ab2de4e941d293fa84a5e1503e84eed850775d55c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e239571f316e5328d7df5c8ab2de4e941d293fa84a5e1503e84eed850775d55c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwis"}, "properties": {"repobilityId": 136949, "scanner": "repobility-supply-chain", "fingerprint": "7964c8ce3908fdb34b6a63b2740cad557ec88db28f6ecf7d8cca5042519d11ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7964c8ce3908fdb34b6a63b2740cad557ec88db28f6ecf7d8cca5042519d11ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal s"}, "properties": {"repobilityId": 136948, "scanner": "repobility-supply-chain", "fingerprint": "0295da10447735cc21cde1424613bedc4ac35ed13e82126266aa798641200fde", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0295da10447735cc21cde1424613bedc4ac35ed13e82126266aa798641200fde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal sourc"}, "properties": {"repobilityId": 136947, "scanner": "repobility-supply-chain", "fingerprint": "d72a433f151bc85693ac341d16e11d91f1e4c12c0fe3d026fedf5d28cdcea9e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d72a433f151bc85693ac341d16e11d91f1e4c12c0fe3d026fedf5d28cdcea9e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherw"}, "properties": {"repobilityId": 136946, "scanner": "repobility-supply-chain", "fingerprint": "103372be5a8d5acb5d668dcab2d8ffc225c085213220345590ea8f58830635ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|103372be5a8d5acb5d668dcab2d8ffc225c085213220345590ea8f58830635ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-"}, "properties": {"repobilityId": 136945, "scanner": "repobility-supply-chain", "fingerprint": "77419c6c0a8f20fa80116af1097cd902a6d43dd71de7e8f7e87a23fd0e89ab72", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77419c6c0a8f20fa80116af1097cd902a6d43dd71de7e8f7e87a23fd0e89ab72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/integration-tests/webApplication/customized/kotlin/additionalLibs/additional-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/integration-tests/webApplication/customized/kotlin/additionalLibs/additional-1.0.jar` is a .jar binary (349 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised depen"}, "properties": {"repobilityId": 136944, "scanner": "repobility-supply-chain", "fingerprint": "e0b4623b5bc24bb1d67a46c651b959573223dbd11f77f89497eb74e5e3b42bdd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0b4623b5bc24bb1d67a46c651b959573223dbd11f77f89497eb74e5e3b42bdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/integration-tests/webApplication/customized/kotlin/additionalLibs/additional-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/integration-tests/webApplication/customized/groovy/additionalLibs/additional-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/integration-tests/webApplication/customized/groovy/additionalLibs/additional-1.0.jar` is a .jar binary (349 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised depen"}, "properties": {"repobilityId": 136943, "scanner": "repobility-supply-chain", "fingerprint": "6b9f90057927956ef393797f0d9efe007540848a1b72381cd2858ce02d1ff517", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b9f90057927956ef393797f0d9efe007540848a1b72381cd2858ce02d1ff517"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/integration-tests/webApplication/customized/groovy/additionalLibs/additional-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/reference/core-plugins/customized/kotlin/additionalLibs/additional-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/reference/core-plugins/customized/kotlin/additionalLibs/additional-1.0.jar` is a .jar binary (349 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in"}, "properties": {"repobilityId": 136942, "scanner": "repobility-supply-chain", "fingerprint": "9fe58ed11fa432ae0af5e71334a7c0cd95f83b476e79bf1c98d62c1666a43cf1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fe58ed11fa432ae0af5e71334a7c0cd95f83b476e79bf1c98d62c1666a43cf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/reference/core-plugins/customized/kotlin/additionalLibs/additional-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/reference/core-plugins/customized/groovy/additionalLibs/additional-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/reference/core-plugins/customized/groovy/additionalLibs/additional-1.0.jar` is a .jar binary (349 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in"}, "properties": {"repobilityId": 136941, "scanner": "repobility-supply-chain", "fingerprint": "75444d135990997eab8252650909fc60aee24b7e95867ce25e37dec360eddac0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75444d135990997eab8252650909fc60aee24b7e95867ce25e37dec360eddac0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/reference/core-plugins/customized/groovy/additionalLibs/additional-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project2/1.0/project2-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project2/1.0/project2-1.0.jar` is a .jar binary (261 bytes) committed to a rep"}, "properties": {"repobilityId": 136940, "scanner": "repobility-supply-chain", "fingerprint": "d576927810419e69a378495c7f44ece930f18563825cf431b9c53e0b1ffde5c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d576927810419e69a378495c7f44ece930f18563825cf431b9c53e0b1ffde5c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project2/1.0/project2-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project3/1.0/project3-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project3/1.0/project3-1.0.jar` is a .jar binary (261 bytes) committed to a rep"}, "properties": {"repobilityId": 136939, "scanner": "repobility-supply-chain", "fingerprint": "4abfda3070108c77a79853a59df02758aba7fbde3cde52aacbaef3457470742c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4abfda3070108c77a79853a59df02758aba7fbde3cde52aacbaef3457470742c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project3/1.0/project3-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project1/1.0/project1-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project1/1.0/project1-1.0.jar` is a .jar binary (261 bytes) committed to a rep"}, "properties": {"repobilityId": 136938, "scanner": "repobility-supply-chain", "fingerprint": "0c64d26b5c49b32cb44e820a11914cc198f6c1aa3ee9c2be360d9b05bee6921d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c64d26b5c49b32cb44e820a11914cc198f6c1aa3ee9c2be360d9b05bee6921d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project1/1.0/project1-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known "}, "properties": {"repobilityId": 136937, "scanner": "repobility-supply-chain", "fingerprint": "2fc8b3ba47c6a5675ad1ec7c1127086914a073eda1c89cdc385b87b027eca6d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2fc8b3ba47c6a5675ad1ec7c1127086914a073eda1c89cdc385b87b027eca6d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/unused/plugins/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a kn"}, "properties": {"repobilityId": 136936, "scanner": "repobility-supply-chain", "fingerprint": "b00794efd1b7c348417ff49a5fd498fb9c37507fe85e3ba315779463f24e7803", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b00794efd1b7c348417ff49a5fd498fb9c37507fe85e3ba315779463f24e7803"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/unused/plugins/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply"}, "properties": {"repobilityId": 136935, "scanner": "repobility-supply-chain", "fingerprint": "fa17bdca8d10a1c3d3ca1cc839b2c7e8623dbc71119ba164e6bdc8078b0a4631", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa17bdca8d10a1c3d3ca1cc839b2c7e8623dbc71119ba164e6bdc8078b0a4631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-cha"}, "properties": {"repobilityId": 136934, "scanner": "repobility-supply-chain", "fingerprint": "0da40cb7cd07fb1849f8cd7ea25d04e82d2d79822f9aa73d1fe28a75ed982cc5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0da40cb7cd07fb1849f8cd7ea25d04e82d2d79822f9aa73d1fe28a75ed982cc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a "}, "properties": {"repobilityId": 136933, "scanner": "repobility-supply-chain", "fingerprint": "3d379ec90b1ef3bf860dd340296ce8f1291dbf4288ade54bab304153ba96e1b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d379ec90b1ef3bf860dd340296ce8f1291dbf4288ade54bab304153ba96e1b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a know"}, "properties": {"repobilityId": 136932, "scanner": "repobility-supply-chain", "fingerprint": "cda67fe13045ab8824d2b8c88d6d0179de8d8fb04564a42c71b5d41e05766344", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cda67fe13045ab8824d2b8c88d6d0179de8d8fb04564a42c71b5d41e05766344"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `lycheeverse/lychee-action` pinned to mutable ref `@v2.8.0`: `uses: lycheeverse/lychee-action@v2.8.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136930, "scanner": "repobility-supply-chain", "fingerprint": "b736f572725e93dec5f6964a3902cb1369950744011a4ad45e2790459ba1c63f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b736f572725e93dec5f6964a3902cb1369950744011a4ad45e2790459ba1c63f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-markdown-links.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136929, "scanner": "repobility-supply-chain", "fingerprint": "8b4a42953abe479868a857fb9fe3cccd9cfd44f643e1f19f05cd0263ee0182c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b4a42953abe479868a857fb9fe3cccd9cfd44f643e1f19f05cd0263ee0182c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-markdown-links.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136928, "scanner": "repobility-supply-chain", "fingerprint": "b74250b98919ee18f6615e21f62c2ccd957767175774e4cddad9c47d6603b31d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b74250b98919ee18f6615e21f62c2ccd957767175774e4cddad9c47d6603b31d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/team-triage-stale.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `kentaro-m/auto-assign-action` pinned to mutable ref `@v2.0.2`: `uses: kentaro-m/auto-assign-action@v2.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136927, "scanner": "repobility-supply-chain", "fingerprint": "886374a59d65b43f036a4f9a47e8cf636382da54daa14316966fd5e5978c5e16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|886374a59d65b43f036a4f9a47e8cf636382da54daa14316966fd5e5978c5e16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-assign-pr-to-author.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-or-update-comment` pinned to mutable ref `@v5`: `uses: peter-evans/create-or-update-comment@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136926, "scanner": "repobility-supply-chain", "fingerprint": "a7a55ed6cad892479ece0aa6684ab718873c2b1db731883fac1475fb3d77e0eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7a55ed6cad892479ece0aa6684ab718873c2b1db731883fac1475fb3d77e0eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-jdks.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136925, "scanner": "repobility-supply-chain", "fingerprint": "1ee6de8cf54febb443b0b7ad58247eff426646842ba5a86c61245675a87f0690", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ee6de8cf54febb443b0b7ad58247eff426646842ba5a86c61245675a87f0690"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-jdks.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/update-jdks-action` pinned to mutable ref `@main`: `uses: gradle/update-jdks-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136924, "scanner": "repobility-supply-chain", "fingerprint": "61324ca09b94e3d7e9bc0c9dc7c8fb2466d40c55b7a52e7126a8812f5647ae71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61324ca09b94e3d7e9bc0c9dc7c8fb2466d40c55b7a52e7126a8812f5647ae71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-jdks.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136923, "scanner": "repobility-supply-chain", "fingerprint": "b56967d9bca99de5d27229952ea4481809110739ac4d593486255d0b0ff9398a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b56967d9bca99de5d27229952ea4481809110739ac4d593486255d0b0ff9398a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-jdks.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `slackapi/slack-github-action` pinned to mutable ref `@v3.0.3`: `uses: slackapi/slack-github-action@v3.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136922, "scanner": "repobility-supply-chain", "fingerprint": "3e8dc8e6de334aa14887880b4aa4dd0f7107574a9f22f9711beaf37270cf53db", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e8dc8e6de334aa14887880b4aa4dd0f7107574a9f22f9711beaf37270cf53db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/notify-on-rc-for-manual-test.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/issue-management-action/issue-metadata` pinned to mutable ref `@v2`: `uses: gradle/issue-management-action/issue-metadata@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136921, "scanner": "repobility-supply-chain", "fingerprint": "c77b3db43eb6815ca829bf4777b443ebd63799081be84f523091a97dfe887d9b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c77b3db43eb6815ca829bf4777b443ebd63799081be84f523091a97dfe887d9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-metadata.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/dependency-submission` pinned to mutable ref `@v6`: `uses: gradle/actions/dependency-submission@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136920, "scanner": "repobility-supply-chain", "fingerprint": "293860f5d8f2006b58c631c20145b3ccb25c35af1b2bd2699b015776564158eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|293860f5d8f2006b58c631c20145b3ccb25c35af1b2bd2699b015776564158eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/submit-github-dependency-graph.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136919, "scanner": "repobility-supply-chain", "fingerprint": "8384c5389fa3e83ab984ae6b2d18ff50b1d7e732bb06385592d6ff45352dea7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8384c5389fa3e83ab984ae6b2d18ff50b1d7e732bb06385592d6ff45352dea7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/submit-github-dependency-graph.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136918, "scanner": "repobility-supply-chain", "fingerprint": "f86343e73cc5ec5fb53071a44cf5623cac80f601f8e83edf851c6cdc9aa094da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f86343e73cc5ec5fb53071a44cf5623cac80f601f8e83edf851c6cdc9aa094da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/submit-github-dependency-graph.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/issue-management-action/issue-comment-triage` pinned to mutable ref `@v2`: `uses: gradle/issue-management-action/issue-comment-triage@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136917, "scanner": "repobility-supply-chain", "fingerprint": "aefedebba1905172c8bf4937e46dd4d7236c1c53e1f909cf9137b8bf6b86b62a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aefedebba1905172c8bf4937e46dd4d7236c1c53e1f909cf9137b8bf6b86b62a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-comment-triage.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136916, "scanner": "repobility-supply-chain", "fingerprint": "ffb161a0610c1742207eab093944643565e0c3749d2aa0935132307f35e4dac8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffb161a0610c1742207eab093944643565e0c3749d2aa0935132307f35e4dac8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-perf-test-buckets.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v6`: `uses: gradle/actions/setup-gradle@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136915, "scanner": "repobility-supply-chain", "fingerprint": "761e09dc0f47e05de51bc3ae34f585577df27c3fe1a0ad0442a97255de758a7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|761e09dc0f47e05de51bc3ae34f585577df27c3fe1a0ad0442a97255de758a7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-perf-test-buckets.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136914, "scanner": "repobility-supply-chain", "fingerprint": "afaa8d0a8b7ea5efcf9aea9d629dd38016fe5da70ea4c5d36dfaa001010ce3f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afaa8d0a8b7ea5efcf9aea9d629dd38016fe5da70ea4c5d36dfaa001010ce3f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-perf-test-buckets.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/aws-secretsmanager-get-secrets` pinned to mutable ref `@v3`: `uses: aws-actions/aws-secretsmanager-get-secrets@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136913, "scanner": "repobility-supply-chain", "fingerprint": "667fd28b00f9bb546f48741fda919b27e55c1334921ab163721eca279c29361c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|667fd28b00f9bb546f48741fda919b27e55c1334921ab163721eca279c29361c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-perf-test-buckets.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v6`: `uses: aws-actions/configure-aws-credentials@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136912, "scanner": "repobility-supply-chain", "fingerprint": "01ef145b5028304a4939428491b20673e20a00828137807cce576ca9dc67feb7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01ef145b5028304a4939428491b20673e20a00828137807cce576ca9dc67feb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-perf-test-buckets.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136911, "scanner": "repobility-supply-chain", "fingerprint": "f317ec034cd94f71bfaef666d8b955ac24653adc51a6cd0fc91240b31a03d316", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f317ec034cd94f71bfaef666d8b955ac24653adc51a6cd0fc91240b31a03d316"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-perf-test-buckets.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136910, "scanner": "repobility-supply-chain", "fingerprint": "bbd02a176d7131d2ff2e8fd5a2f7cca3d43b099b37f720cf3e3030c83ca02433", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bbd02a176d7131d2ff2e8fd5a2f7cca3d43b099b37f720cf3e3030c83ca02433"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-test-buckets.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136909, "scanner": "repobility-supply-chain", "fingerprint": "d061ef18f3d840a6f1d83da4e765b39402706483c37f63f39fd4c18324d540cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d061ef18f3d840a6f1d83da4e765b39402706483c37f63f39fd4c18324d540cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-test-buckets.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/aws-secretsmanager-get-secrets` pinned to mutable ref `@v3`: `uses: aws-actions/aws-secretsmanager-get-secrets@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136908, "scanner": "repobility-supply-chain", "fingerprint": "0f4434c7317ac3c64a82bc68657011d531038ee3d5c419dc83aa68820f8cfc7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f4434c7317ac3c64a82bc68657011d531038ee3d5c419dc83aa68820f8cfc7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-test-buckets.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v6`: `uses: aws-actions/configure-aws-credentials@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136907, "scanner": "repobility-supply-chain", "fingerprint": "371ff0bfeada1a10321340a03f3aef50de9bb6e261529940dec907c58875c842", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|371ff0bfeada1a10321340a03f3aef50de9bb6e261529940dec907c58875c842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-test-buckets.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136906, "scanner": "repobility-supply-chain", "fingerprint": "cf8b65bb32b270d0ea8e61eec72fd0a7d35e61e0bd0015199b2b72826199d56a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf8b65bb32b270d0ea8e61eec72fd0a7d35e61e0bd0015199b2b72826199d56a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-test-buckets.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 136891, "scanner": "repobility-threat-engine", "fingerprint": "5393b6b49d5de1a553146619ff366bcf5a5195a5fbc86d87543f3eb7b01be56a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5393b6b49d5de1a553146619ff366bcf5a5195a5fbc86d87543f3eb7b01be56a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/inputs/process/instrument/AbstractProcessInstrumentationIntegrationTest.groovy"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 136890, "scanner": "repobility-threat-engine", "fingerprint": "18765a5423a2bd7d9faafca9db24528d1782342ba1b608ddb98720a861a02569", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18765a5423a2bd7d9faafca9db24528d1782342ba1b608ddb98720a861a02569"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/inputs/process/ProcessInTransformIntegrationTest.groovy"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 136889, "scanner": "repobility-threat-engine", "fingerprint": "cf4ae92860aea56ad5d1855e71df7fa357b36b4ebdd9ab46b0c1bbdd6fd3363d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf4ae92860aea56ad5d1855e71df7fa357b36b4ebdd9ab46b0c1bbdd6fd3363d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/inputs/process/ProcessInPluginIntegrationTest.groovy"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 136886, "scanner": "repobility-threat-engine", "fingerprint": "f299ee36546e5a114bcfd70fea9811b236ab4604ac613c880dc4ab482a6e5dad", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new XmlParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f299ee36546e5a114bcfd70fea9811b236ab4604ac613c880dc4ab482a6e5dad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/performance-testing/src/main/groovy/gradlebuild/performance/generator/MavenPom.groovy"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136878, "scanner": "repobility-threat-engine", "fingerprint": "d9d0d429b27ad627e43092b7bf9974f76fc4ad35623a8d269b642fcc6bc58fae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "it.delete(tmpDir)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d9d0d429b27ad627e43092b7bf9974f76fc4ad35623a8d269b642fcc6bc58fae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/performance-testing/src/main/groovy/gradlebuild/performance/generator/tasks/RemoteProject.groovy"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136877, "scanner": "repobility-threat-engine", "fingerprint": "facefed4f5963b2cdf4c3d37abe4a1b24e930472fe4ec84e66ff757b934bae83", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "outputFile.delete()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|facefed4f5963b2cdf4c3d37abe4a1b24e930472fe4ec84e66ff757b934bae83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/packaging/src/main/kotlin/gradlebuild/instrumentation/tasks/InstrumentedSuperTypesMergeTask.kt"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136876, "scanner": "repobility-threat-engine", "fingerprint": "44dc9e64bd458edfcaedf27ec140e5d5b02c8e0e477bd4d5ec85fe61ef643de5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "AnchorLinkExtension.create()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|44dc9e64bd458edfcaedf27ec140e5d5b02c8e0e477bd4d5ec85fe61ef643de5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/documentation/src/main/groovy/gradlebuild/docs/RenderMarkdown.java"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 136873, "scanner": "repobility-threat-engine", "fingerprint": "e41402e74199e4369b742faaea7f73c88625464882ee491e1bfa6476d50661a0", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e41402e74199e4369b742faaea7f73c88625464882ee491e1bfa6476d50661a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/documentation/src/main/groovy/gradlebuild/docs/dsl/docbook/ClassDocExtensionsBuilder.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 136872, "scanner": "repobility-threat-engine", "fingerprint": "f74aea7be176e38d1bd0d81a86c067bc3f69f52e9931df4dd57b6a21edfd7dcf", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f74aea7be176e38d1bd0d81a86c067bc3f69f52e9931df4dd57b6a21edfd7dcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/documentation/src/main/groovy/gradlebuild/docs/XIncludeAwareXmlProvider.groovy"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 136871, "scanner": "repobility-threat-engine", "fingerprint": "f9a28b6b01b20a322ef4108b0cc115f31f6eb6226f25a3320b4c24753a4490cb", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f9a28b6b01b20a322ef4108b0cc115f31f6eb6226f25a3320b4c24753a4490cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/build-update-utils/src/main/kotlin/gradlebuild/buildutils/tasks/AbstractVersionsUpdateTask.kt"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 136859, "scanner": "repobility-threat-engine", "fingerprint": "850d2189475a701e3b3076df2b8e5a3f30a134ce21e434779e22e430e1c5412c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|850d2189475a701e3b3076df2b8e5a3f30a134ce21e434779e22e430e1c5412c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/rules/AbstractGradleViolationRule.groovy"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 136858, "scanner": "repobility-threat-engine", "fingerprint": "33dfaea5c22c2bf41564609e398619ca4be3544c70afeea3950e47721e4632b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33dfaea5c22c2bf41564609e398619ca4be3544c70afeea3950e47721e4632b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/CleanAcceptedApiChanges.groovy"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 136857, "scanner": "repobility-threat-engine", "fingerprint": "917cbd21a5b447cec4e776f3e30164e12daf09b33f753f5267c7070fba94906c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|917cbd21a5b447cec4e776f3e30164e12daf09b33f753f5267c7070fba94906c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/BinaryCompatibilityHelper.groovy"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 136843, "scanner": "repobility-threat-engine", "fingerprint": "0f98326a090f72bbf5a7856cb4fd30364de874654b4d43a525941fadf67a6cc9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f98326a090f72bbf5a7856cb4fd30364de874654b4d43a525941fadf67a6cc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-settings/architecture-docs/src/main/kotlin/gradlebuild/GeneratePackageInfoDataTask.kt"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 136842, "scanner": "repobility-threat-engine", "fingerprint": "6d063618f6ead8d02b58a81d158ca6ccd227678bc50f0392bcee233fd29dea30", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d063618f6ead8d02b58a81d158ca6ccd227678bc50f0392bcee233fd29dea30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-commons/module-identity/src/main/kotlin/gradlebuild/identity/extension/ReleasedVersionsDetails.kt"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 136841, "scanner": "repobility-threat-engine", "fingerprint": "734b2c8dd6fbc1deaa06a80c514b1799e6eebb06f28a0bec199ea3c49d9f8ece", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|734b2c8dd6fbc1deaa06a80c514b1799e6eebb06f28a0bec199ea3c49d9f8ece"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-commons/basics/src/main/kotlin/gradlebuild/basics/BuildEnvironment.kt"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 136835, "scanner": "repobility-threat-engine", "fingerprint": "77170e9f1479082fc270f7b240981e523736ef095e307b75168f0f429951744c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|77170e9f1479082fc270f7b240981e523736ef095e307b75168f0f429951744c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-commons/publishing/src/main/kotlin/gradlebuild.publish-public-libraries.gradle.kts"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 136834, "scanner": "repobility-threat-engine", "fingerprint": "b14eff5b1ddf777fc7e32b6c6a00be4f640521b7ecf59a5caa74247f5a4fb642", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b14eff5b1ddf777fc7e32b6c6a00be4f640521b7ecf59a5caa74247f5a4fb642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-commons/publishing/src/main/kotlin/gradlebuild.kotlin-dsl-plugin-bundle.gradle.kts"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 136833, "scanner": "repobility-threat-engine", "fingerprint": "ac71832e4bda7236a6fd03bb2f38e926b96f6720c4eb15e9e9dacaa180320e43", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ac71832e4bda7236a6fd03bb2f38e926b96f6720c4eb15e9e9dacaa180320e43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/src/main/kotlin/configurations/Gradleception.kt"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 136831, "scanner": "repobility-threat-engine", "fingerprint": "70a4ee28e2dba946a519bd40b22dff3b54d514311a81e30f66854903f704f679", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70a4ee28e2dba946a519bd40b22dff3b54d514311a81e30f66854903f704f679"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/FindCommits.java"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 136830, "scanner": "repobility-threat-engine", "fingerprint": "f7d29c4aca0857b5cc7959cc685f0987f0800d87d637ce3a66a753fef414167e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f7d29c4aca0857b5cc7959cc685f0987f0800d87d637ce3a66a753fef414167e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/CheckWrapper.java"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 136829, "scanner": "repobility-threat-engine", "fingerprint": "62c7f1a542d775ae97b07d3ed127a1f78fc2cb327914f4e72022ec7aec5fc47a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62c7f1a542d775ae97b07d3ed127a1f78fc2cb327914f4e72022ec7aec5fc47a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/scripts/CheckBadMerge.java"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136812, "scanner": "repobility-threat-engine", "fingerprint": "43fdade3e41ad83e5301d8cfa570c0f7ee399ca07bdde817cbe0f36792b3c363", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "HttpClient.newHttpClient()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43fdade3e41ad83e5301d8cfa570c0f7ee399ca07bdde817cbe0f36792b3c363"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/build-update-utils/src/main/kotlin/gradlebuild/buildutils/tasks/AbstractCheckOrUpdateContributorsInReleaseNotes.kt"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136811, "scanner": "repobility-threat-engine", "fingerprint": "861b42dece65b24752c2d7aabcf75c6750b53c2b6500f8ae084e964dbe6c30a0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|861b42dece65b24752c2d7aabcf75c6750b53c2b6500f8ae084e964dbe6c30a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/binary-compatibility/src/main/groovy/gradlebuild/EnrichedReportRenderer.groovy"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136810, "scanner": "repobility-threat-engine", "fingerprint": "d9b19ecd685605b54d6c73909703e4b886333754fe83fa2a1c005dbb03cb1a91", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d9b19ecd685605b54d6c73909703e4b886333754fe83fa2a1c005dbb03cb1a91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/.mvn/wrapper/MavenWrapperDownloader.java"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DEVELOCITY_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DEVELOCITY_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 136931, "scanner": "repobility-supply-chain", "fingerprint": "03f98fda4266f5b1194e9898def301e4055347db5e76c301317c2f205865b1fb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03f98fda4266f5b1194e9898def301e4055347db5e76c301317c2f205865b1fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/contributor-pr.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC101", "level": "error", "message": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "properties": {"repobilityId": 136885, "scanner": "repobility-threat-engine", "fingerprint": "565aff78050ad50abdd58e5db37ef662323350ab29a3617a157285c5c46f8605", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new ObjectInputStream(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC101", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|46|sec101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/documentation/src/main/groovy/gradlebuild/docs/model/SimpleClassMetaDataRepository.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 136882, "scanner": "repobility-threat-engine", "fingerprint": "611137d13fca6458213b8a44ebc638e2babdd62c31fa187176a8a841faf56381", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|611137d13fca6458213b8a44ebc638e2babdd62c31fa187176a8a841faf56381"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platforms/core-configuration/kotlin-dsl-tooling-builders/src/crossVersionTest/groovy/org/gradle/kotlin/dsl/tooling/builders/AbstractKotlinScriptModelCrossVersionTest.groovy"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 136881, "scanner": "repobility-threat-engine", "fingerprint": "19c9040b1c22e5276eed6762fdbd4cb85fba1ad02967b8fd268522865523bf81", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|19c9040b1c22e5276eed6762fdbd4cb85fba1ad02967b8fd268522865523bf81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/documentation/src/main/groovy/gradlebuild/docs/dsl/docbook/AssembleDslDocTask.groovy"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 136880, "scanner": "repobility-threat-engine", "fingerprint": "6071d148a5f1f00701fc2582fcc6cfb0dcca8df5aa5259c2c43f2c12c85ee874", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6071d148a5f1f00701fc2582fcc6cfb0dcca8df5aa5259c2c43f2c12c85ee874"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/documentation/src/main/groovy/gradlebuild/docs/UserGuideTransformTask.groovy"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 136839, "scanner": "repobility-threat-engine", "fingerprint": "9d76d687cf2b7c0979c4d6142e31176bee54a7c5ed4ebf256a897aecd9446abf", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(project", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d76d687cf2b7c0979c4d6142e31176bee54a7c5ed4ebf256a897aecd9446abf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-commons/gradle-plugin/src/main/kotlin/gradlebuild.ci-reporting.gradle.kts"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 136838, "scanner": "repobility-threat-engine", "fingerprint": "7c923f370dfc3f107e75e230670f38c48ec871c79f5f498167f5e4d822b6f937", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(it", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c923f370dfc3f107e75e230670f38c48ec871c79f5f498167f5e4d822b6f937"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic-commons/basics/src/main/kotlin/gradlebuild/basics/util/ConfigurationExtensions.kt"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 136837, "scanner": "repobility-threat-engine", "fingerprint": "80a2216db050d8d04d1ab466b1a4d1410a6b3361d79b834a89e1a65ad88e532a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(this", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80a2216db050d8d04d1ab466b1a4d1410a6b3361d79b834a89e1a65ad88e532a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".teamcity/src/main/kotlin/promotion/PublishNightlySnapshot.kt"}, "region": {"startLine": 54}}}]}]}]}