{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-pq67-6m6q-mj2v", "name": "urllib3: GHSA-pq67-6m6q-mj2v", "shortDescription": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "fullDescription": {"text": "urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc5v-m9x4-r6x2", "name": "requests: GHSA-gc5v-m9x4-r6x2", "shortDescription": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "fullDescription": {"text": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wx4-h78v-vm56", "name": "requests: GHSA-9wx4-h78v-vm56", "shortDescription": {"text": "requests: GHSA-9wx4-h78v-vm56"}, "fullDescription": {"text": "Requests `Session` object does not verify requests after making first request with verify=False"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9hjg-9r4m-mvj7", "name": "requests: GHSA-9hjg-9r4m-mvj7", "shortDescription": {"text": "requests: GHSA-9hjg-9r4m-mvj7"}, "fullDescription": {"text": "Requests vulnerable to .netrc credentials leak via malicious URLs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mr82-8j83-vxmv", "name": "pydantic: GHSA-mr82-8j83-vxmv", "shortDescription": {"text": "pydantic: GHSA-mr82-8j83-vxmv"}, "fullDescription": {"text": "Pydantic regular expression denial of service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `merge_jettons` has cognitive complexity 25 (SonarSource scale). Cognitive", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `merge_jettons` has cognitive complexity 25 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 25."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `pydantic` is 1 major version(s) behind (1.9.2 -> 2.13.4)", "shortDescription": {"text": "Python package `pydantic` is 1 major version(s) behind (1.9.2 -> 2.13.4)"}, "fullDescription": {"text": "`pydantic==1.9.2` is 1 major version(s) behind the latest stable release on PyPI (2.13.4). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-gm62-xv2j-4w53", "name": "urllib3: GHSA-gm62-xv2j-4w53", "shortDescription": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "fullDescription": {"text": "urllib3 allows an unbounded number of links in the decompression chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38jv-5279-wg99", "name": "urllib3: GHSA-38jv-5279-wg99", "shortDescription": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "fullDescription": {"text": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2xpw-w6gg-jr37", "name": "urllib3: GHSA-2xpw-w6gg-jr37", "shortDescription": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "fullDescription": {"text": "urllib3 streaming API improperly handles highly compressed data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-74", "name": "requests: PYSEC-2023-74", "shortDescription": {"text": "requests: PYSEC-2023-74"}, "fullDescription": {"text": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v3`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "fullDescription": {"text": "`uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `html` used but not imported", "shortDescription": {"text": "Missing import: `html` used but not imported"}, "fullDescription": {"text": "The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1154"}, "properties": {"repository": "tonkeeper/ton-assets", "repoUrl": "https://github.com/tonkeeper/ton-assets", "branch": "main"}, "results": [{"ruleId": "GHSA-pq67-6m6q-mj2v", "level": "warning", "message": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "properties": {"repobilityId": 115416, "scanner": "osv-scanner", "fingerprint": "163bdff65c3ce10f9a93a9866aca7dc5f2158119544e441758bb1e189063007d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-50181"], "package": "urllib3", "rule_id": "GHSA-pq67-6m6q-mj2v", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-50181|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gc5v-m9x4-r6x2", "level": "warning", "message": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "properties": {"repobilityId": 115411, "scanner": "osv-scanner", "fingerprint": "df69fc105f839b8858988bd945af94347c2e8a5ab6be2c5dec785fcd4d2fc827", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25645"], "package": "requests", "rule_id": "GHSA-gc5v-m9x4-r6x2", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2026-25645|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wx4-h78v-vm56", "level": "warning", "message": {"text": "requests: GHSA-9wx4-h78v-vm56"}, "properties": {"repobilityId": 115410, "scanner": "osv-scanner", "fingerprint": "16335ea6537f2b6c71811f552212ec9408c35d43ff73d772da0d19be29d73991", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-35195"], "package": "requests", "rule_id": "GHSA-9wx4-h78v-vm56", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2024-35195|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9hjg-9r4m-mvj7", "level": "warning", "message": {"text": "requests: GHSA-9hjg-9r4m-mvj7"}, "properties": {"repobilityId": 115409, "scanner": "osv-scanner", "fingerprint": "034eedde606d9526f151c4b574252cb5c7f7efabba940fadb09dc2a0d1598395", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47081"], "package": "requests", "rule_id": "GHSA-9hjg-9r4m-mvj7", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2024-47081|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mr82-8j83-vxmv", "level": "warning", "message": {"text": "pydantic: GHSA-mr82-8j83-vxmv"}, "properties": {"repobilityId": 115407, "scanner": "osv-scanner", "fingerprint": "7ddbcde8c6e7f491dfe0c53c8cd587b508f646175d877361b2d129ab85fedd2e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-3772"], "package": "pydantic", "rule_id": "GHSA-mr82-8j83-vxmv", "scanner": "osv-scanner", "correlation_key": "vuln|pydantic|CVE-2024-3772|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `merge_jettons` has cognitive complexity 25 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=4, if=8, nested_bonus=12."}, "properties": {"repobilityId": 115398, "scanner": "repobility-threat-engine", "fingerprint": "3ac0ce0f7adb94650f83bde84282d36603a8dbe4fe1a833a2e75e77468984903", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 25 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "merge_jettons", "breakdown": {"if": 8, "for": 4, "else": 1, "nested_bonus": 12}, "complexity": 25, "correlation_key": "fp|3ac0ce0f7adb94650f83bde84282d36603a8dbe4fe1a833a2e75e77468984903"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `pydantic` is 1 major version(s) behind (1.9.2 -> 2.13.4)"}, "properties": {"repobilityId": 115392, "scanner": "repobility-dependency-currency", "fingerprint": "7507cb65a9fd3c326942bab06aaba725cbce385de972d17fffad7ab4939a0411", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pydantic", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.13.4", "correlation_key": "fp|7507cb65a9fd3c326942bab06aaba725cbce385de972d17fffad7ab4939a0411", "current_version": "1.9.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `collect_all_dexes` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, else=1, for=4, if=3, nested_bonus=3."}, "properties": {"repobilityId": 115399, "scanner": "repobility-threat-engine", "fingerprint": "1760ee007c60504371efd06258f0c60a17b48682dd06d6777ef267f2f0dcbde9", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "collect_all_dexes", "breakdown": {"if": 3, "for": 4, "else": 1, "continue": 2, "nested_bonus": 3}, "complexity": 13, "correlation_key": "fp|1760ee007c60504371efd06258f0c60a17b48682dd06d6777ef267f2f0dcbde9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `__get_backed_assets` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=2, if=3, nested_bonus=4."}, "properties": {"repobilityId": 115397, "scanner": "repobility-threat-engine", "fingerprint": "81b2a3610434ebe3bb427aaa676a4df44524ab3a0b0e0e253c1d2dba5e350ea5", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "__get_backed_assets", "breakdown": {"if": 3, "for": 2, "continue": 1, "nested_bonus": 4}, "complexity": 10, "correlation_key": "fp|81b2a3610434ebe3bb427aaa676a4df44524ab3a0b0e0e253c1d2dba5e350ea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dexes.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `requests` is minor version(s) behind (2.27.1 -> 2.34.2)"}, "properties": {"repobilityId": 115394, "scanner": "repobility-dependency-currency", "fingerprint": "b0fed904be063de03cbbf63a8f2f8fefad51992b297fad88208043f60c5c4234", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "requests", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.34.2", "correlation_key": "fp|b0fed904be063de03cbbf63a8f2f8fefad51992b297fad88208043f60c5c4234", "current_version": "2.27.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 115386, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 115400, "scanner": "repobility-threat-engine", "fingerprint": "ffacc44acd0408185fc3827739658544dd0204c83ccb78694e2ced81539c2c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "__get_backed_assets", "breakdown": {"if": 3, "for": 2, "continue": 1, "nested_bonus": 4}, "aggregated": true, "complexity": 10, "correlation_key": "fp|ffacc44acd0408185fc3827739658544dd0204c83ccb78694e2ced81539c2c58", "aggregated_count": 3}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 115396, "scanner": "repobility-threat-engine", "fingerprint": "9d7f3b217a4d998b79dedfa7ce1178a9ad4135fcfcab086e42988612263ddbe2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d7f3b217a4d998b79dedfa7ce1178a9ad4135fcfcab086e42988612263ddbe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dexes.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `pyyaml` is patch version(s) behind (6.0.1 -> 6.0.3)"}, "properties": {"repobilityId": 115393, "scanner": "repobility-dependency-currency", "fingerprint": "8f809e8c9d3d2aebb8b82372124b1cfea53d879abc2602c89a781b656ec93574", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pyyaml", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "6.0.3", "correlation_key": "fp|8f809e8c9d3d2aebb8b82372124b1cfea53d879abc2602c89a781b656ec93574", "current_version": "6.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "GHSA-gm62-xv2j-4w53", "level": "error", "message": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "properties": {"repobilityId": 115415, "scanner": "osv-scanner", "fingerprint": "c6179b31454e1888b1c1cb677d9a99fa3cc26aa20b5c461bc02cfa5532b4b7de", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66418"], "package": "urllib3", "rule_id": "GHSA-gm62-xv2j-4w53", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66418|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38jv-5279-wg99", "level": "error", "message": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "properties": {"repobilityId": 115414, "scanner": "osv-scanner", "fingerprint": "7efc812025ab761a376ad0e88be78a767b579da26a39959de36b3ff8586ddf87", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21441"], "package": "urllib3", "rule_id": "GHSA-38jv-5279-wg99", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-21441|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2xpw-w6gg-jr37", "level": "error", "message": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "properties": {"repobilityId": 115413, "scanner": "osv-scanner", "fingerprint": "3e8220a54bdfdded3281f2e83b5ce135568419305f3e1461f7898b0d265417c6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66471"], "package": "urllib3", "rule_id": "GHSA-2xpw-w6gg-jr37", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66471|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 115412, "scanner": "osv-scanner", "fingerprint": "c9782ea239ddf9652bd8aa66c5c6c4ebee4d2b704faaab015341940a64bb5ee3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8fea5709b1e04c1904accc4ad0dc76733fefc920773cbaba3c59a24994880532", "c9782ea239ddf9652bd8aa66c5c6c4ebee4d2b704faaab015341940a64bb5ee3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-74", "level": "error", "message": {"text": "requests: PYSEC-2023-74"}, "properties": {"repobilityId": 115408, "scanner": "osv-scanner", "fingerprint": "a81c4a7cab5d835d73b2ff3eb70dee4bb9f73fd08f2067107fdc34acdd0332d6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-32681", "GHSA-j8r2-6x86-q33q"], "package": "requests", "rule_id": "PYSEC-2023-74", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2023-32681|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-j8r2-6x86-q33q", "PYSEC-2023-74"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a4d38873f5575298016caa3ef94e03ad4826ced628c4c7053d2059aa98186e76", "a81c4a7cab5d835d73b2ff3eb70dee4bb9f73fd08f2067107fdc34acdd0332d6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 115402, "scanner": "repobility-threat-engine", "fingerprint": "6b90c2d13042dca3417af178622c05b767b1b279dbb09a93d9b73ae50f9381a6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6b90c2d13042dca3417af178622c05b767b1b279dbb09a93d9b73ae50f9381a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "to_review/presenter.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 115401, "scanner": "repobility-threat-engine", "fingerprint": "49fa91bc82e4a152862fdeacd2bf55c58efbc09d81cabc94891f96a89d8a11ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|49fa91bc82e4a152862fdeacd2bf55c58efbc09d81cabc94891f96a89d8a11ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "parser.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 115395, "scanner": "repobility-threat-engine", "fingerprint": "bd5cbe2c58131f1f8b89f54aa42c3cc8186758dd31d7dca03b169617b4324247", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bd5cbe2c58131f1f8b89f54aa42c3cc8186758dd31d7dca03b169617b4324247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dexes.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 115391, "scanner": "repobility-supply-chain", "fingerprint": "7501c36549437ea95ae6c7bd8b77adc8d43346bb6450aaf26912ce97ed248d9c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7501c36549437ea95ae6c7bd8b77adc8d43346bb6450aaf26912ce97ed248d9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/parse-ton-labels.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 115390, "scanner": "repobility-supply-chain", "fingerprint": "a6d89425e7d82c6b529f9ba7a6c7fe211b4625604ce4b8ebcaca74765763d131", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6d89425e7d82c6b529f9ba7a6c7fe211b4625604ce4b8ebcaca74765763d131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rebuild-src.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 115389, "scanner": "repobility-supply-chain", "fingerprint": "9e3eb4ff6cfea7bee500c9a0057f71acf25189d832b9ff822242ae627224db73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e3eb4ff6cfea7bee500c9a0057f71acf25189d832b9ff822242ae627224db73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_src_valid.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 115385, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 115406, "scanner": "gitleaks", "fingerprint": "881e19dcb43b23d5b457d496477c026ff7797afad50e73fbb4520ce2c2557090", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "Token address in Ethereum: REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|jettons.json|1259|token address in ethereum: redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["5e70a3f517f68b2121548b317f5bc9dadee3559bc57e0cc7b4bc2169c704a33e", "881e19dcb43b23d5b457d496477c026ff7797afad50e73fbb4520ce2c2557090"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "jettons.json"}, "region": {"startLine": 12591}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 115405, "scanner": "gitleaks", "fingerprint": "7becd18cccaeff25789ac143377d48c38f527aa7403d4882a88e4de123eb9aae", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Token address in Ethereum: REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|jettons.json|1258|token address in ethereum: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "jettons.json"}, "region": {"startLine": 12584}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 115404, "scanner": "gitleaks", "fingerprint": "b06627d28d152806454a96ed215fe4f66e5da9a9c7aa5b61ac2878d84c8fee74", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Token address in Ethereum: REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|jettons.json|1257|token address in ethereum: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "jettons.json"}, "region": {"startLine": 12577}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 115403, "scanner": "gitleaks", "fingerprint": "778942a50666a8ef6088ea01aac278b254f3f6be532b0b7488628af562826b1d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "Token address in Ethereum: REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|jettons/bridge.yaml|1|token address in ethereum: redacted", "duplicate_count": 3, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["778942a50666a8ef6088ea01aac278b254f3f6be532b0b7488628af562826b1d", "8daabbfc6e7bc24675d82fe63f238c3f68c6befdb9d63d3dd224b88ad700437d", "a452fdaba670482079f5ba50d922def66727d4af8db31df78193add99f432641", "df76d222e831f5ad560b48bc247f77384d0e65acc0d1d99c7ce2b10185ec8f42"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "jettons/bridge.yaml"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `html` used but not imported"}, "properties": {"repobilityId": 115388, "scanner": "repobility-ast-engine", "fingerprint": "0aabcc648b49365a39d3eb8ff66312a2801c3ff440caac6a40038bec829bc705", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0aabcc648b49365a39d3eb8ff66312a2801c3ff440caac6a40038bec829bc705"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "to_review/presenter.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `collections` used but not imported"}, "properties": {"repobilityId": 115387, "scanner": "repobility-ast-engine", "fingerprint": "2a15efadce3a09111f6db113bb2a00686b75b1a7fa68fee656b2779371a0e351", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a15efadce3a09111f6db113bb2a00686b75b1a7fa68fee656b2779371a0e351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator.py"}, "region": {"startLine": 136}}}]}]}]}