{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `variation_chart` (list): `def variation_chart(... = []/{}/set())` \u2014 Python's def", "shortDescription": {"text": "[MINED109] Mutable default argument in `variation_chart` (list): `def variation_chart(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates "}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def variation_chart(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `__init__` has cognitive complexity 20 (SonarSource scale). Cognitive comp", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `__init__` has cognitive complexity 20 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 20."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 26 more): Same pattern found in 26 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.1.0`: `uses: astral-sh/setup-uv@v8.1.0` resolves at wo", "shortDescription": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.1.0`: `uses: astral-sh/setup-uv@v8.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromi"}, "fullDescription": {"text": "Replace with: `uses: astral-sh/setup-uv@<40-char-sha>  # v8.1.0` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_given_multiple_entities_uprated_then_all_apply_correctly: Test function `test_giv", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_given_multiple_entities_uprated_then_all_apply_correctly: Test function `test_given_multiple_entities_uprated_then_all_apply_correctly` runs code but contains no assert / expect / should call \u2014 it pass"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.is_supported_source_file` used but never assigned in __init__: Method `get_uncommitted_changes` of clas", "shortDescription": {"text": "[MINED108] `self.is_supported_source_file` used but never assigned in __init__: Method `get_uncommitted_changes` of class `SelectiveTestRunner` reads `self.is_supported_source_file`, but no assignment to it exists in __init__ (and no class-"}, "fullDescription": {"text": "Initialize `self.is_supported_source_file = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.", "shortDescription": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "[MINED125] GHA script injection via github.head_ref in run-step: Multi-line `run: |` block interpolates ${{ github.head_", "shortDescription": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: Multi-line `run: |` block interpolates ${{ github.head_ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "fullDescription": {"text": "Capture the field into an env var first; reference $ENV_VAR in shell."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. T", "shortDescription": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import html` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1332"}, "properties": {"repository": "PolicyEngine/policyengine-us", "repoUrl": "https://github.com/PolicyEngine/policyengine-us", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 136113, "scanner": "repobility-ast-engine", "fingerprint": "dbbb1919ac57e48fabae462dbd987ad3fdeccd0cd62e6428b435f7fc3f79a872", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dbbb1919ac57e48fabae462dbd987ad3fdeccd0cd62e6428b435f7fc3f79a872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 268}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 136100, "scanner": "repobility-ast-engine", "fingerprint": "7d860ffed3ce5cb54cde99ae4ff38d93d445e695423eff891369263a23f113d6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7d860ffed3ce5cb54cde99ae4ff38d93d445e695423eff891369263a23f113d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/test_batched.py"}, "region": {"startLine": 442}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 136099, "scanner": "repobility-ast-engine", "fingerprint": "1696e6d219a80cfe2e8cb2c33f06735492fde5ffb47648e738edf10d043c4201", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1696e6d219a80cfe2e8cb2c33f06735492fde5ffb47648e738edf10d043c4201"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/test_batched.py"}, "region": {"startLine": 434}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `variation_chart` (list): `def variation_chart(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 136084, "scanner": "repobility-ast-engine", "fingerprint": "1731d218b05f71f97bea82ee6574baa3518ee5e3acd459a99c34943d6b332509", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1731d218b05f71f97bea82ee6574baa3518ee5e3acd459a99c34943d6b332509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/documentation.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 136080, "scanner": "repobility-ast-engine", "fingerprint": "e12d3781dc649d059fb9f7aba89d5ac502e32c8bfec62ebbaaba33b6c247bc41", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e12d3781dc649d059fb9f7aba89d5ac502e32c8bfec62ebbaaba33b6c247bc41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/build_metadata.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 136060, "scanner": "repobility-threat-engine", "fingerprint": "dc366ffaceb9e25f9f370ebd11b0a52d1145ae18d91799595174c8191cacea46", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc366ffaceb9e25f9f370ebd11b0a52d1145ae18d91799595174c8191cacea46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/ssa/revenue/employer_ss_tax_income_tax_revenue.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 136059, "scanner": "repobility-threat-engine", "fingerprint": "a4451b501d50941e53f647e7d4cb1a00740b1428ff8a496cc9c3464c0ce0dec9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a4451b501d50941e53f647e7d4cb1a00740b1428ff8a496cc9c3464c0ce0dec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/ssa/revenue/employer_medicare_tax_income_tax_revenue.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 136058, "scanner": "repobility-threat-engine", "fingerprint": "c04b9de5d0c5812bdbbf2de1e563f97200fc176095b3f2f89c337cf6cf65ee61", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c04b9de5d0c5812bdbbf2de1e563f97200fc176095b3f2f89c337cf6cf65ee61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/puf.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 136044, "scanner": "repobility-threat-engine", "fingerprint": "243ad8e494c1b36fe20b0ebbeed73cb642c58dca581a94ef6070a01bd26a330f", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|169|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/geography/download_50_state_census_block_data.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `__init__` has cognitive complexity 20 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, if=3, nested_bonus=8, ternary=7."}, "properties": {"repobilityId": 136034, "scanner": "repobility-threat-engine", "fingerprint": "bc6dfe1ed5f4078ef20a6e4a527ffe2a95115cadfeba243a3056a53ce558cf7b", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 20 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "__init__", "breakdown": {"if": 3, "else": 2, "ternary": 7, "nested_bonus": 8}, "complexity": 20, "correlation_key": "fp|bc6dfe1ed5f4078ef20a6e4a527ffe2a95115cadfeba243a3056a53ce558cf7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/data/dataset_schema.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `__init__` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=2, for=3, if=5, nested_bonus=13."}, "properties": {"repobilityId": 136033, "scanner": "repobility-threat-engine", "fingerprint": "41e18486b949c31198b194fe32ccf530591017a75f9f2bb20df8d1e65f7d202c", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 24 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "__init__", "breakdown": {"if": 5, "for": 3, "elif": 1, "else": 2, "nested_bonus": 13}, "complexity": 24, "correlation_key": "fp|41e18486b949c31198b194fe32ccf530591017a75f9f2bb20df8d1e65f7d202c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/data/dataset_schema.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 136031, "scanner": "repobility-threat-engine", "fingerprint": "669950d73a934db59cb6253d41206bf6746b29d3e046448333e4b0091dd321fe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n            return subprocess.check_output(\n                [\"git\", \"-C\", str(candidate), \"rev-", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|669950d73a934db59cb6253d41206bf6746b29d3e046448333e4b0091dd321fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/build_metadata.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "daea3e65f2892a16ab3bfebf541e0202c29bbabfa5c20b840df2b38d05adf99f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/variables/gov/hud/hud_utility_allowance.py", "duplicate_line": 18, "correlation_key": "fp|daea3e65f2892a16ab3bfebf541e0202c29bbabfa5c20b840df2b38d05adf99f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/hud/pha_payment_standard.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136078, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d2dc0eee4538e8b475af085aa493a568b0bc0e2ceb84ecbec229c4845205914b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/variables/gov/aca/slspc/slcsp_family_tier_multiplier.py", "duplicate_line": 30, "correlation_key": "fp|d2dc0eee4538e8b475af085aa493a568b0bc0e2ceb84ecbec229c4845205914b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/hhs/medicaid/costs/medicaid_slcsp_family_tier_multiplier.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "014d549689cedd7caf9ab073ed077e5f246c60957c08f261e73b2c97dfea79d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/variables/gov/aca/lcbp/lcbp_family_tier_category.py", "duplicate_line": 14, "correlation_key": "fp|014d549689cedd7caf9ab073ed077e5f246c60957c08f261e73b2c97dfea79d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/aca/slspc/slcsp_family_tier_category.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "389999af09466b2801c8a2302c314337315ce10a28fd37b8637549c7463ede36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/model_api.py", "duplicate_line": 55, "correlation_key": "fp|389999af09466b2801c8a2302c314337315ce10a28fd37b8637549c7463ede36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/geography/download_50_state_census_block_data.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136075, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d1c66041d3c5ff7225589d6d99aab4549a453a5e6ca0d54d7c9feea48bf6425", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/ctc/ctc_minimum_refundable_amount.py", "duplicate_line": 36, "correlation_key": "fp|9d1c66041d3c5ff7225589d6d99aab4549a453a5e6ca0d54d7c9feea48bf6425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/taxsim.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136074, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d82d88427caa57e4d6b05565c714336fa8486b59d4054c12f9369d9e238da0c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/states/nc/cdcc/nc_cdcc_reform.py", "duplicate_line": 28, "correlation_key": "fp|8d82d88427caa57e4d6b05565c714336fa8486b59d4054c12f9369d9e238da0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/states/nc/eitc/nc_eitc_reform.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136073, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9ece30193eacde0c64a4eb70d9f4dcc5871b2315534c6c7bcedcc9c936342d5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/biden/budget_2025/capital_gains_tax_increase.py", "duplicate_line": 3, "correlation_key": "fp|b9ece30193eacde0c64a4eb70d9f4dcc5871b2315534c6c7bcedcc9c936342d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/harris/capital_gains/harris_capital_gains.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136072, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8010c4042ffb4adaa3c73e5acbde14f59b2d09f483ddd213f0bc311ac107ec4d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/congress/romney/family_security_act_2024/ctc/family_security_act_2024_ctc.py", "duplicate_line": 60, "correlation_key": "fp|8010c4042ffb4adaa3c73e5acbde14f59b2d09f483ddd213f0bc311ac107ec4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/ctc/ctc_older_child_supplement.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136071, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee8d2a2f602adc8dd742f46f61d7898602e7cfe37a3b3776ff0e7bb77cdc4e47", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/crfb/tax_employer_medicare_tax.py", "duplicate_line": 5, "correlation_key": "fp|ee8d2a2f602adc8dd742f46f61d7898602e7cfe37a3b3776ff0e7bb77cdc4e47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/crfb/tax_employer_social_security_tax.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136070, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73a1749f7f34093aa0b3ed82c4681063394669dd285879172d48e72415b48510", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/crfb/tax_employer_medicare_tax.py", "duplicate_line": 5, "correlation_key": "fp|73a1749f7f34093aa0b3ed82c4681063394669dd285879172d48e72415b48510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/crfb/tax_employer_payroll_tax.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136069, "scanner": "repobility-ai-code-hygiene", "fingerprint": "578695e47f78d21e2ce36e6d8527990e014fe3b193983fbb76a84f8865cff7ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/congress/tlaib/economic_dignity_for_all_agenda/edaa_end_child_poverty_act.py", "duplicate_line": 118, "correlation_key": "fp|578695e47f78d21e2ce36e6d8527990e014fe3b193983fbb76a84f8865cff7ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/congress/tlaib/end_child_poverty_act.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136068, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b383bc2e907a9720e2885ae0d81565727d166af77976a992c018c56b0a23d4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/congress/tlaib/boost/boost_middle_class_tax_credit.py", "duplicate_line": 39, "correlation_key": "fp|6b383bc2e907a9720e2885ae0d81565727d166af77976a992c018c56b0a23d4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/congress/tlaib/end_child_poverty_act.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136067, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a83983005e6a3ccd9de18294c366d03648eeb7d284d2296b2caeab6decf8589c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/congress/tlaib/boost/boost_middle_class_tax_credit.py", "duplicate_line": 96, "correlation_key": "fp|a83983005e6a3ccd9de18294c366d03648eeb7d284d2296b2caeab6decf8589c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/congress/tlaib/economic_dignity_for_all_agenda/edaa_end_child_poverty_act.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136066, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43f324c792309d185af659d05b7b3d73d7fc4bf8909107a8e1710847804327a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/aca/aca_ptc_700_fpl_cliff.py", "duplicate_line": 35, "correlation_key": "fp|43f324c792309d185af659d05b7b3d73d7fc4bf8909107a8e1710847804327a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/aca/aca_ptc_simplified_bracket.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136065, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e8e8b0a6c831a3ce34bfa8b6c2f00ff82d1422bc85ba1b7eaa62a566a6e9285", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/aca/aca_ptc_additional_bracket.py", "duplicate_line": 27, "correlation_key": "fp|8e8e8b0a6c831a3ce34bfa8b6c2f00ff82d1422bc85ba1b7eaa62a566a6e9285"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/aca/aca_ptc_simplified_bracket.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136064, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56fd1238d3198a59c5c67ef4f8c72c87ef461b1b301d705c1df10fe238ef0601", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "policyengine_us/reforms/aca/aca_ptc_700_fpl_cliff.py", "duplicate_line": 35, "correlation_key": "fp|56fd1238d3198a59c5c67ef4f8c72c87ef461b1b301d705c1df10fe238ef0601"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/aca/aca_ptc_additional_bracket.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 136063, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef2df8b1408e00a1206b2dd32e2d465630a7b8a6f845aa48423497d9dbc7b4e2", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "working", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ef2df8b1408e00a1206b2dd32e2d465630a7b8a6f845aa48423497d9dbc7b4e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/states/mt/dhs/tanf/work_requirement/mt_tanf_is_working.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 136062, "scanner": "repobility-ai-code-hygiene", "fingerprint": "21899f7c97a485db6591fe071ef920855b30baf206a478ee3075cd07790388b4", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "working", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|21899f7c97a485db6591fe071ef920855b30baf206a478ee3075cd07790388b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/states/dc/dhs/tanf/work_requirement/dc_tanf_is_working.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_iter_surface_files` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=2, continue=1, for=1, if=2, nested_bonus=2."}, "properties": {"repobilityId": 136032, "scanner": "repobility-threat-engine", "fingerprint": "ebfc53faa266d916e9d0cf8744deab6e08d0e84be5e9c2415993a3addb4ee0d4", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_iter_surface_files", "breakdown": {"if": 2, "and": 2, "for": 1, "continue": 1, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|ebfc53faa266d916e9d0cf8744deab6e08d0e84be5e9c2415993a3addb4ee0d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/build_metadata.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 136061, "scanner": "repobility-threat-engine", "fingerprint": "8a4bd872da419130753367ef5a61efa729f221dd8f26dbedd7003551d50a5f41", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a4bd872da419130753367ef5a61efa729f221dd8f26dbedd7003551d50a5f41"}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 136057, "scanner": "repobility-threat-engine", "fingerprint": "97e83b35d6d87ad95e23d12f8a95338efdb63b7f12c389b8e08fe5a80cf94e6e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|97e83b35d6d87ad95e23d12f8a95338efdb63b7f12c389b8e08fe5a80cf94e6e", "aggregated_count": 3}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 136056, "scanner": "repobility-threat-engine", "fingerprint": "0093f43e7ba2ba3ef9a4cfb868f805a3d9508f21fb0b5d5b6c406820ef97a945", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0093f43e7ba2ba3ef9a4cfb868f805a3d9508f21fb0b5d5b6c406820ef97a945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/ssa/revenue/employer_ss_tax_income_tax_revenue.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 136055, "scanner": "repobility-threat-engine", "fingerprint": "4394fa2faecbd722837b30c19ff235ec0a14cc6f660f252218df688f5a707187", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4394fa2faecbd722837b30c19ff235ec0a14cc6f660f252218df688f5a707187"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/ssa/revenue/employer_medicare_tax_income_tax_revenue.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 136054, "scanner": "repobility-threat-engine", "fingerprint": "94441538edfe9832e99a9758a3d6b982585420f90e8dec3c96cf3675759fc38f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94441538edfe9832e99a9758a3d6b982585420f90e8dec3c96cf3675759fc38f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/puf.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 136053, "scanner": "repobility-threat-engine", "fingerprint": "bd632c4ade7e75e1a901d5e2da5e3e85b36e57e91ccdfbe5098de1738a5edc96", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bd632c4ade7e75e1a901d5e2da5e3e85b36e57e91ccdfbe5098de1738a5edc96", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 136049, "scanner": "repobility-threat-engine", "fingerprint": "d5ac058700426ed14325971139efba634921cffda7e8461a0ef98ec4b5b76f22", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d5ac058700426ed14325971139efba634921cffda7e8461a0ef98ec4b5b76f22", "aggregated_count": 26}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136048, "scanner": "repobility-threat-engine", "fingerprint": "37fbb8497da82b5460abd33aa0214d3ec32fcd87b9ae83395be0a6d03961fad8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37fbb8497da82b5460abd33aa0214d3ec32fcd87b9ae83395be0a6d03961fad8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/local/ca/la/general_relief/eligibility/immigration/la_general_relief_immigration_status_eligible_person.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136047, "scanner": "repobility-threat-engine", "fingerprint": "3f6d5b5efa17ece2b9bb79f0d5f43b9cf25a214744a3e63d2e10ce7a01eca327", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f6d5b5efa17ece2b9bb79f0d5f43b9cf25a214744a3e63d2e10ce7a01eca327"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/local/ca/la/general_relief/eligibility/immigration/la_general_relief_immigration_status_eligible.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136046, "scanner": "repobility-threat-engine", "fingerprint": "30552be0938d06d68b0f6618f771e8770c990693f47888ba7f3f3e46ec61bf63", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30552be0938d06d68b0f6618f771e8770c990693f47888ba7f3f3e46ec61bf63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/taxsim/generate_taxsim_tests.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 136043, "scanner": "repobility-threat-engine", "fingerprint": "22066ec8fc478e38c544a32e81d4f102dbe76fbd167941c0f5981eea2a9e47b9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22066ec8fc478e38c544a32e81d4f102dbe76fbd167941c0f5981eea2a9e47b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/taxsim/generate_taxsim_tests.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 136042, "scanner": "repobility-threat-engine", "fingerprint": "3de7cb5b3fc0f12624781535296cb9f0b46b6d0e977968485496914ad351c441", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3de7cb5b3fc0f12624781535296cb9f0b46b6d0e977968485496914ad351c441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/geography/download_50_state_census_block_data.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 136041, "scanner": "repobility-threat-engine", "fingerprint": "771f7491437bbbbf7d617714ed294c1212ec6357e860e1fa2fb8fbcd79b01198", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|771f7491437bbbbf7d617714ed294c1212ec6357e860e1fa2fb8fbcd79b01198"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/download_hud_fmr.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 136040, "scanner": "repobility-threat-engine", "fingerprint": "3e8f2b10463013f0735ca4f1b81239fe0408428651e6f52a0c38bffaea757362", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e8f2b10463013f0735ca4f1b81239fe0408428651e6f52a0c38bffaea757362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/download_hud_fmr.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 136037, "scanner": "repobility-threat-engine", "fingerprint": "64da1882a3b725703f4500e1a45aa1480a5f6bfc513ddf7c5f13b6111cff89a7", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|64da1882a3b725703f4500e1a45aa1480a5f6bfc513ddf7c5f13b6111cff89a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/download_hud_fmr.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 136035, "scanner": "repobility-threat-engine", "fingerprint": "1f9cf34bb3a259b729d06f1f15ac7967805d490c0f74f5ba2d5409d957c7d6b7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "_iter_surface_files", "breakdown": {"if": 2, "and": 2, "for": 1, "continue": 1, "nested_bonus": 2}, "aggregated": true, "complexity": 8, "correlation_key": "fp|1f9cf34bb3a259b729d06f1f15ac7967805d490c0f74f5ba2d5409d957c7d6b7", "aggregated_count": 14}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.1.0`: `uses: astral-sh/setup-uv@v8.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136160, "scanner": "repobility-supply-chain", "fingerprint": "0457e3fffead1a72be5fac103f4266c1a2612a8ad25b03e72a74dcae8bf0ac84", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0457e3fffead1a72be5fac103f4266c1a2612a8ad25b03e72a74dcae8bf0ac84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 283}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136159, "scanner": "repobility-supply-chain", "fingerprint": "3f2430b8ed9e59926177c89481417d7f584cfbd466c454c0f7572dbce8808212", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f2430b8ed9e59926177c89481417d7f584cfbd466c454c0f7572dbce8808212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136158, "scanner": "repobility-supply-chain", "fingerprint": "13d04840863caf51cf6ffcbc998b4f56e8a855f6a663d0bd3f9cfedf11f5999c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13d04840863caf51cf6ffcbc998b4f56e8a855f6a663d0bd3f9cfedf11f5999c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 277}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.1.0`: `uses: astral-sh/setup-uv@v8.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136157, "scanner": "repobility-supply-chain", "fingerprint": "7d14627dd84470d444fed3fcaf47d8ff12b86d1be9aa6628ed2d82e5afab3315", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d14627dd84470d444fed3fcaf47d8ff12b86d1be9aa6628ed2d82e5afab3315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 261}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136156, "scanner": "repobility-supply-chain", "fingerprint": "6ac965d84f0c3fc90e50be3f880aeee00277f6e752c4c5d0a93c6b89241034ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ac965d84f0c3fc90e50be3f880aeee00277f6e752c4c5d0a93c6b89241034ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136155, "scanner": "repobility-supply-chain", "fingerprint": "aa8bb113ee2a74c1ae184b36a0940b111eda9d5d92ec05caaeeaec30035c9b44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa8bb113ee2a74c1ae184b36a0940b111eda9d5d92ec05caaeeaec30035c9b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 255}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.1.0`: `uses: astral-sh/setup-uv@v8.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136154, "scanner": "repobility-supply-chain", "fingerprint": "11c931638f58acd16e992f60f6565c7300e52fc0d8a1451224a56d8a49f7c446", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11c931638f58acd16e992f60f6565c7300e52fc0d8a1451224a56d8a49f7c446"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136153, "scanner": "repobility-supply-chain", "fingerprint": "1a85d1890ac3237026cac39a439887779570834e334043330b18ab88325a2192", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a85d1890ac3237026cac39a439887779570834e334043330b18ab88325a2192"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136152, "scanner": "repobility-supply-chain", "fingerprint": "a7ef2d8db16df870d129bd99fc7d7d7e959f91033bd64b9c2e6b6fbddd870b37", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7ef2d8db16df870d129bd99fc7d7d7e959f91033bd64b9c2e6b6fbddd870b37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.1.0`: `uses: astral-sh/setup-uv@v8.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136151, "scanner": "repobility-supply-chain", "fingerprint": "b7a812d4688534bc09934fc044e5538e68c8374fba8a027f4b6e8123f0702bbc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b7a812d4688534bc09934fc044e5538e68c8374fba8a027f4b6e8123f0702bbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136150, "scanner": "repobility-supply-chain", "fingerprint": "ef5988c8bb93f9bcc8532a777cb237912718774d4cc7d9b0fb60b04c324ac208", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef5988c8bb93f9bcc8532a777cb237912718774d4cc7d9b0fb60b04c324ac208"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136149, "scanner": "repobility-supply-chain", "fingerprint": "bceb73ddddc9fc9cdcbd38ded1a21025d48cd1b06597afa5ea5e6e9f67021ea9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bceb73ddddc9fc9cdcbd38ded1a21025d48cd1b06597afa5ea5e6e9f67021ea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v6`: `uses: codecov/codecov-action@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136148, "scanner": "repobility-supply-chain", "fingerprint": "51d1a4895ac3269ea3b9cede7eba592aea82210ed739abe9b974fe5b47984d83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51d1a4895ac3269ea3b9cede7eba592aea82210ed739abe9b974fe5b47984d83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.1.0`: `uses: astral-sh/setup-uv@v8.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136147, "scanner": "repobility-supply-chain", "fingerprint": "719e94085ed96288b13c2607a09292a05143edaade616ea3eada41dbc112d372", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|719e94085ed96288b13c2607a09292a05143edaade616ea3eada41dbc112d372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136146, "scanner": "repobility-supply-chain", "fingerprint": "f4007c452d468c559fe222ab842d38d555b19722b935ae7ac8db048ae07f2f34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4007c452d468c559fe222ab842d38d555b19722b935ae7ac8db048ae07f2f34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136145, "scanner": "repobility-supply-chain", "fingerprint": "417904d0831595945a7116bc17671935ab7ba0d88f45f012040d811c6edfd5e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|417904d0831595945a7116bc17671935ab7ba0d88f45f012040d811c6edfd5e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.1.0`: `uses: astral-sh/setup-uv@v8.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136144, "scanner": "repobility-supply-chain", "fingerprint": "234cf40c6436b529bf50e9764c99d176c0372b8d7eb771ac0404a0f417f10e6a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|234cf40c6436b529bf50e9764c99d176c0372b8d7eb771ac0404a0f417f10e6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136143, "scanner": "repobility-supply-chain", "fingerprint": "4f15144ea4a09e056a0831f5b5261ae4939bb84fcb4d57f4667e8500d7f82ef6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f15144ea4a09e056a0831f5b5261ae4939bb84fcb4d57f4667e8500d7f82ef6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136142, "scanner": "repobility-supply-chain", "fingerprint": "8ebe53914d8b5215bc3fc61e75118c947429c10af7592b2e3ea9e97cd8a8a2e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ebe53914d8b5215bc3fc61e75118c947429c10af7592b2e3ea9e97cd8a8a2e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v5`: `uses: astral-sh/setup-uv@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136141, "scanner": "repobility-supply-chain", "fingerprint": "e96df43eee9ac868b686251a52e42ea3c822d8b9959703978036f3806607d682", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e96df43eee9ac868b686251a52e42ea3c822d8b9959703978036f3806607d682"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136140, "scanner": "repobility-supply-chain", "fingerprint": "a4ef216ff66aeb636d876089ea6fdec3ce5d12f3838704cd5a638b24a03f5ecc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4ef216ff66aeb636d876089ea6fdec3ce5d12f3838704cd5a638b24a03f5ecc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136139, "scanner": "repobility-supply-chain", "fingerprint": "787a65bdb2fa0980faf596c71873aa06e249ef3bcc324e37501a87035bc97e0e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|787a65bdb2fa0980faf596c71873aa06e249ef3bcc324e37501a87035bc97e0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136138, "scanner": "repobility-supply-chain", "fingerprint": "2af7aa99f2baf4df369aa2b7e02d4f882d6a57557caf8d6b7b37c48367c722aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2af7aa99f2baf4df369aa2b7e02d4f882d6a57557caf8d6b7b37c48367c722aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.1.0`: `uses: astral-sh/setup-uv@v8.1.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136137, "scanner": "repobility-supply-chain", "fingerprint": "51f976378afd33da27c5e13d09c052a4f3036b13f7135d9700f67bf1c89eeff3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51f976378afd33da27c5e13d09c052a4f3036b13f7135d9700f67bf1c89eeff3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136136, "scanner": "repobility-supply-chain", "fingerprint": "68e549e6f3ddde4fd7d33c4f7221ad206fad38cde14e9243e899c03e34fe492e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68e549e6f3ddde4fd7d33c4f7221ad206fad38cde14e9243e899c03e34fe492e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_multiple_entities_uprated_then_all_apply_correctly: Test function `test_given_multiple_entities_uprated_then_all_apply_correctly` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136135, "scanner": "repobility-ast-engine", "fingerprint": "27dc3c2819f5bd19ed758af0e135aafb8680ca6b67e7e1d3f9b449752d3254dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27dc3c2819f5bd19ed758af0e135aafb8680ca6b67e7e1d3f9b449752d3254dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 455}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_extended_dataset_then_input_dataset_not_mutated: Test function `test_given_extended_dataset_then_input_dataset_not_mutated` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136134, "scanner": "repobility-ast-engine", "fingerprint": "08e90f3bfa81e080e4b35e0fe5f4c8fa4d37fa2c532c7a2f9a2687b963d10e13", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08e90f3bfa81e080e4b35e0fe5f4c8fa4d37fa2c532c7a2f9a2687b963d10e13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 441}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_extended_dataset_then_non_uprated_variable_same_all_years: Test function `test_given_extended_dataset_then_non_uprated_variable_same_all_years` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136133, "scanner": "repobility-ast-engine", "fingerprint": "fa23dfaaa6f5a057b75fb0c0ea02f134234e964be715a3a31e7ca8cd76cedd23", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa23dfaaa6f5a057b75fb0c0ea02f134234e964be715a3a31e7ca8cd76cedd23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 391}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_extended_dataset_then_year_two_chains_uprating: Test function `test_given_extended_dataset_then_year_two_chains_uprating` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136132, "scanner": "repobility-ast-engine", "fingerprint": "9e3dc46baf52faf2c301e08c4299ebcfd22fc06f9beb5eeb43f50128aaedca45", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9e3dc46baf52faf2c301e08c4299ebcfd22fc06f9beb5eeb43f50128aaedca45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 372}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_extended_dataset_then_year_one_correctly_uprated: Test function `test_given_extended_dataset_then_year_one_correctly_uprated` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136131, "scanner": "repobility-ast-engine", "fingerprint": "ba2fddf0e65aae9ade643cd88d709f17b01916b5687c013ded8b49e964eb0f2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ba2fddf0e65aae9ade643cd88d709f17b01916b5687c013ded8b49e964eb0f2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 357}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_extended_dataset_then_base_year_values_unchanged: Test function `test_given_extended_dataset_then_base_year_values_unchanged` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136130, "scanner": "repobility-ast-engine", "fingerprint": "d00576be54ae558d589c8f4602ea200bebc2bfb3fe97c7662917f442746b59f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d00576be54ae558d589c8f4602ea200bebc2bfb3fe97c7662917f442746b59f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 340}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_variable_not_in_system_then_values_unchanged: Test function `test_given_variable_not_in_system_then_values_unchanged` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136129, "scanner": "repobility-ast-engine", "fingerprint": "0c8c30700a2f1d91f264178a20f38c25d9850154e38d559f0d28daae13900c96", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c8c30700a2f1d91f264178a20f38c25d9850154e38d559f0d28daae13900c96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_household_variable_with_uprating_then_values_scaled: Test function `test_given_household_variable_with_uprating_then_values_scaled` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136128, "scanner": "repobility-ast-engine", "fingerprint": "c4169c4a4b8af9a9de9a3f127bc0f53ebc7e006c833a0c55520d590d3c706ebd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4169c4a4b8af9a9de9a3f127bc0f53ebc7e006c833a0c55520d590d3c706ebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_computed_variable_with_microdata_override_then_values_scaled: Test function `test_given_computed_variable_with_microdata_override_then_values_scaled` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136127, "scanner": "repobility-ast-engine", "fingerprint": "cd1ef02eba670d5f55c0356a23710fcd289ba4af31d85297ceecbfb8fc7ce896", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd1ef02eba670d5f55c0356a23710fcd289ba4af31d85297ceecbfb8fc7ce896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_variable_without_uprating_then_values_unchanged: Test function `test_given_variable_without_uprating_then_values_unchanged` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136126, "scanner": "repobility-ast-engine", "fingerprint": "ef345c9e00e3b4badbf1f86ba69fdb2f39a3aa42d602a02487c4583d30597762", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef345c9e00e3b4badbf1f86ba69fdb2f39a3aa42d602a02487c4583d30597762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_given_uprated_variable_then_values_scaled_by_growth_factor: Test function `test_given_uprated_variable_then_values_scaled_by_growth_factor` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136125, "scanner": "repobility-ast-engine", "fingerprint": "354762335c704b57901c8dbe14a3c7a9a1121fd6fdad472ef35dbee838ea0738", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|354762335c704b57901c8dbe14a3c7a9a1121fd6fdad472ef35dbee838ea0738"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/data/test_extend_single_year_dataset.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ebb_categorical_eligibility_is_vectorized: Test function `test_ebb_categorical_eligibility_is_vectorized` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136124, "scanner": "repobility-ast-engine", "fingerprint": "f52eb47f34b568f838565f34a6996f2edb6867d560726d88ab4b40ec12e1ae41", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f52eb47f34b568f838565f34a6996f2edb6867d560726d88ab4b40ec12e1ae41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/policy/baseline/gov/fcc/test_vectorization.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_acp_lifeline_categorical_eligibility_is_vectorized: Test function `test_acp_lifeline_categorical_eligibility_is_vectorized` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136123, "scanner": "repobility-ast-engine", "fingerprint": "2631ccef8b1a97c937036b83ec512e175082071c01b2afb202be3c9fbf32896c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2631ccef8b1a97c937036b83ec512e175082071c01b2afb202be3c9fbf32896c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/policy/baseline/gov/fcc/test_vectorization.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_medicaid_cost_if_enrolled_is_zero_when_denominator_is_zero: Test function `test_medicaid_cost_if_enrolled_is_zero_when_denominator_is_zero` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136122, "scanner": "repobility-ast-engine", "fingerprint": "ed87cb34764b3520f8ffddf8b55942cc4057302dea5e1aba54608c40d8001379", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ed87cb34764b3520f8ffddf8b55942cc4057302dea5e1aba54608c40d8001379"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/core/test_medicaid_slcsp_cost.py"}, "region": {"startLine": 360}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_reform_medicaid_denominator_uses_baseline_enrollment: Test function `test_reform_medicaid_denominator_uses_baseline_enrollment` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136121, "scanner": "repobility-ast-engine", "fingerprint": "1978ed3d6fb922b72ac842977a2b9a018a04c155baf3a49600e7738ebad59b3c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1978ed3d6fb922b72ac842977a2b9a018a04c155baf3a49600e7738ebad59b3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/core/test_medicaid_slcsp_cost.py"}, "region": {"startLine": 254}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_medicaid_slcsp_cost_index_preserves_vt_child_only_fallback: Test function `test_medicaid_slcsp_cost_index_preserves_vt_child_only_fallback` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136120, "scanner": "repobility-ast-engine", "fingerprint": "f43af57262e45f859d68d1bd5bf68c664a7f14de1c94f05563c5cc39e9bb29be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f43af57262e45f859d68d1bd5bf68c664a7f14de1c94f05563c5cc39e9bb29be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/core/test_medicaid_slcsp_cost.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_medicaid_slcsp_cost_index_allocates_ny_family_tier: Test function `test_medicaid_slcsp_cost_index_allocates_ny_family_tier` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136119, "scanner": "repobility-ast-engine", "fingerprint": "874e3ade58c94a9493cc1401d7008f630e9cabaa7b3735f9f20ccd5411db6670", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|874e3ade58c94a9493cc1401d7008f630e9cabaa7b3735f9f20ccd5411db6670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/core/test_medicaid_slcsp_cost.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_medicaid_slcsp_cost_index_allocates_ny_child_only: Test function `test_medicaid_slcsp_cost_index_allocates_ny_child_only` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136118, "scanner": "repobility-ast-engine", "fingerprint": "e7dacc34c33b3d2945e938062409df763c1c1ed79eb98bef416155a76b73fb93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e7dacc34c33b3d2945e938062409df763c1c1ed79eb98bef416155a76b73fb93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/core/test_medicaid_slcsp_cost.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_medicaid_slcsp_cost_index_allocates_vt_family_tier: Test function `test_medicaid_slcsp_cost_index_allocates_vt_family_tier` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136117, "scanner": "repobility-ast-engine", "fingerprint": "52345bb6e09cfe4b04a5b7f661efc2d4c0e16779fc5c88d96f29856587a0e20a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52345bb6e09cfe4b04a5b7f661efc2d4c0e16779fc5c88d96f29856587a0e20a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/core/test_medicaid_slcsp_cost.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_sum_by_state_does_not_mix_states: Test function `test_sum_by_state_does_not_mix_states` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136116, "scanner": "repobility-ast-engine", "fingerprint": "83cc8e7289afda2cd49ac854b67b5c339bfcf80ff5e9268f231043448aab9e4b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|83cc8e7289afda2cd49ac854b67b5c339bfcf80ff5e9268f231043448aab9e4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/core/test_medicaid_slcsp_cost.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_combined_lsr_cg_structural_reform: Test function `test_combined_lsr_cg_structural_reform` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136115, "scanner": "repobility-ast-engine", "fingerprint": "b5521c89411584d65f47b1ff48eea239c49f0c175a62f8e0c9181c865ad284ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b5521c89411584d65f47b1ff48eea239c49f0c175a62f8e0c9181c865ad284ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/test_lsr_cg_interaction.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_combined_lsr_cg_parametric_reform: Test function `test_combined_lsr_cg_parametric_reform` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136114, "scanner": "repobility-ast-engine", "fingerprint": "0c641484ce9099248f406db37c672cd1202431b1fdc21ac763fb871b07364845", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c641484ce9099248f406db37c672cd1202431b1fdc21ac763fb871b07364845"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/microsimulation/test_lsr_cg_interaction.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.is_supported_source_file` used but never assigned in __init__: Method `get_uncommitted_changes` of class `SelectiveTestRunner` reads `self.is_supported_source_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136112, "scanner": "repobility-ast-engine", "fingerprint": "07f9bacee78776625df9afb4de90147b6277e83ac4344938427f3c263965a783", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07f9bacee78776625df9afb4de90147b6277e83ac4344938427f3c263965a783"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_output_lines` used but never assigned in __init__: Method `get_uncommitted_changes` of class `SelectiveTestRunner` reads `self.get_output_lines`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136111, "scanner": "repobility-ast-engine", "fingerprint": "6620e0a545e264de67c73d96e2847a1ef1e328997fd221ed539e2373662d1082", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6620e0a545e264de67c73d96e2847a1ef1e328997fd221ed539e2373662d1082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.run_git_command` used but never assigned in __init__: Method `get_uncommitted_changes` of class `SelectiveTestRunner` reads `self.run_git_command`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136110, "scanner": "repobility-ast-engine", "fingerprint": "c244fd11284a93c2c317d61698ccc5173930bec638f39261521708eff5afc837", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c244fd11284a93c2c317d61698ccc5173930bec638f39261521708eff5afc837"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.run_git_command` used but never assigned in __init__: Method `get_uncommitted_changes` of class `SelectiveTestRunner` reads `self.run_git_command`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136109, "scanner": "repobility-ast-engine", "fingerprint": "3a329cd7cea2371ef9be4505938ee1ca6c5e953214906c9bce079b589684c5ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a329cd7cea2371ef9be4505938ee1ca6c5e953214906c9bce079b589684c5ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_output_lines` used but never assigned in __init__: Method `get_uncommitted_changes` of class `SelectiveTestRunner` reads `self.get_output_lines`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136108, "scanner": "repobility-ast-engine", "fingerprint": "3a7b037868740da6e179b3995be642aa64899a5f9b8fe508af2828bbfd087724", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a7b037868740da6e179b3995be642aa64899a5f9b8fe508af2828bbfd087724"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_output_lines` used but never assigned in __init__: Method `get_uncommitted_changes` of class `SelectiveTestRunner` reads `self.get_output_lines`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136107, "scanner": "repobility-ast-engine", "fingerprint": "369ba745f4b52015b31d4fcdf95c758457e26660ec1aca6762d3c8f7ab0a59bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|369ba745f4b52015b31d4fcdf95c758457e26660ec1aca6762d3c8f7ab0a59bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_output_lines` used but never assigned in __init__: Method `get_diff_files` of class `SelectiveTestRunner` reads `self.get_output_lines`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136106, "scanner": "repobility-ast-engine", "fingerprint": "5023ab00118ba0b078afc93d666d3ac3466f03b6e3950fbae0ba07b4f5230767", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5023ab00118ba0b078afc93d666d3ac3466f03b6e3950fbae0ba07b4f5230767"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.run_git_command` used but never assigned in __init__: Method `get_diff_files` of class `SelectiveTestRunner` reads `self.run_git_command`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136105, "scanner": "repobility-ast-engine", "fingerprint": "ee0b85af3228f6b933c9dd69d088c234d109a7e17ee85266164c878d072b6c46", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee0b85af3228f6b933c9dd69d088c234d109a7e17ee85266164c878d072b6c46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.is_test_infrastructure_file` used but never assigned in __init__: Method `get_direct_changed_tests` of class `SelectiveTestRunner` reads `self.is_test_infrastructure_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136104, "scanner": "repobility-ast-engine", "fingerprint": "2488a43130776b1ae9066b7be8dadcc7725dfbf123a8612503159b80c57d313c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2488a43130776b1ae9066b7be8dadcc7725dfbf123a8612503159b80c57d313c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.is_test_file` used but never assigned in __init__: Method `get_direct_changed_tests` of class `SelectiveTestRunner` reads `self.is_test_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136103, "scanner": "repobility-ast-engine", "fingerprint": "d6cb2ee201d7afd65a7d0f9b648edc8d99ee5e06407df8d43e81aa7260abf9bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d6cb2ee201d7afd65a7d0f9b648edc8d99ee5e06407df8d43e81aa7260abf9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/run_selective_tests.py"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_package_import_does_not_raise: Test function `test_package_import_does_not_raise` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136102, "scanner": "repobility-ast-engine", "fingerprint": "e20af2d6e307315c6a21d532ecbfc3fa2c51f26743962df79831ed3ae0a4dd3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e20af2d6e307315c6a21d532ecbfc3fa2c51f26743962df79831ed3ae0a4dd3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/test_system_import.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_country_tax_benefit_system_constructs_cleanly: Test function `test_country_tax_benefit_system_constructs_cleanly` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136101, "scanner": "repobility-ast-engine", "fingerprint": "237fa9ad6875f6c8ac020412a6280c09d0d9dc181b1e499ababd39b9cd92a317", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|237fa9ad6875f6c8ac020412a6280c09d0d9dc181b1e499ababd39b9cd92a317"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/test_system_import.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_runtime_metadata_uses_bundle_contract_when_available: Test function `test_runtime_metadata_uses_bundle_contract_when_available` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 136098, "scanner": "repobility-ast-engine", "fingerprint": "45dc11e8188c84cde4d90293780390544324124d2717848ba45ea3b8bdaae0c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|45dc11e8188c84cde4d90293780390544324124d2717848ba45ea3b8bdaae0c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tests/test_build_metadata.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.update_variable` used but never assigned in __init__: Method `apply` of class `taxsim` reads `self.update_variable`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136097, "scanner": "repobility-ast-engine", "fingerprint": "a05d6dc2fac18fffa157ade0b18cf1bf36d844c7b64da92565bb43a154b6f6c0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a05d6dc2fac18fffa157ade0b18cf1bf36d844c7b64da92565bb43a154b6f6c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/taxsim.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.update_variable` used but never assigned in __init__: Method `apply` of class `taxsim` reads `self.update_variable`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136096, "scanner": "repobility-ast-engine", "fingerprint": "0ce60f2083a04bca995d9587e5e90c9ef0db85098ba1cfe90828e60fe47f30f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ce60f2083a04bca995d9587e5e90c9ef0db85098ba1cfe90828e60fe47f30f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/taxsim.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.update_variable` used but never assigned in __init__: Method `apply` of class `taxsim` reads `self.update_variable`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136095, "scanner": "repobility-ast-engine", "fingerprint": "c490c494c82547a569e05d9a1e30decf65c8e66205973a6b9ba4809de1c511b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c490c494c82547a569e05d9a1e30decf65c8e66205973a6b9ba4809de1c511b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/taxsim.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.update_variable` used but never assigned in __init__: Method `apply` of class `taxsim` reads `self.update_variable`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136094, "scanner": "repobility-ast-engine", "fingerprint": "8cfee58cf37364fa0be7bcb677f7da46e4ebfca31f68ccc9ae18950f62106ff8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8cfee58cf37364fa0be7bcb677f7da46e4ebfca31f68ccc9ae18950f62106ff8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/taxsim.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.update_variable` used but never assigned in __init__: Method `apply` of class `reform` reads `self.update_variable`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136093, "scanner": "repobility-ast-engine", "fingerprint": "95190068f921a47728a0a073bcdac9252a9a48fb31e26850c8b418ea7bb482d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95190068f921a47728a0a073bcdac9252a9a48fb31e26850c8b418ea7bb482d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/dc_kccatc.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.update_variable` used but never assigned in __init__: Method `apply` of class `reform` reads `self.update_variable`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136092, "scanner": "repobility-ast-engine", "fingerprint": "ad2e5e2757424cb2b9a0300ead1e6938a2243a55f1c51f07c75de568a59a69e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad2e5e2757424cb2b9a0300ead1e6938a2243a55f1c51f07c75de568a59a69e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/winship.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.update_variable` used but never assigned in __init__: Method `apply` of class `reform` reads `self.update_variable`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136091, "scanner": "repobility-ast-engine", "fingerprint": "d5bd20a02ae60b1ae0b6bde600a10665cdca2b627c2291e41aa8bda8e387983d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5bd20a02ae60b1ae0b6bde600a10665cdca2b627c2291e41aa8bda8e387983d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/dc_tax_threshold_joint_ratio.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.branched_simulation` used but never assigned in __init__: Method `__exit__` of class `BranchedSimulation` reads `self.branched_simulation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136090, "scanner": "repobility-ast-engine", "fingerprint": "baf2adb9929acbab35085a74965484acb123be57da6ea472fe214c47b5a6a456", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|baf2adb9929acbab35085a74965484acb123be57da6ea472fe214c47b5a6a456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/branched_simulation.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.computed_variables` used but never assigned in __init__: Method `__exit__` of class `BranchedSimulation` reads `self.computed_variables`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136089, "scanner": "repobility-ast-engine", "fingerprint": "cb70d800820f7f6d91906e4c40ca69ce60d082eb1e17cc5e078b80d477e7ee84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb70d800820f7f6d91906e4c40ca69ce60d082eb1e17cc5e078b80d477e7ee84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/branched_simulation.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.branched_simulation` used but never assigned in __init__: Method `__enter__` of class `BranchedSimulation` reads `self.branched_simulation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136088, "scanner": "repobility-ast-engine", "fingerprint": "126e1cc3cc79522ed3f4f88eae5e77777d44013033cef396f28bc8fa671a26e5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|126e1cc3cc79522ed3f4f88eae5e77777d44013033cef396f28bc8fa671a26e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/branched_simulation.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.branched_simulation` used but never assigned in __init__: Method `__enter__` of class `BranchedSimulation` reads `self.branched_simulation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136087, "scanner": "repobility-ast-engine", "fingerprint": "721d82c1182d7916f4571303f981d15204d17cbd6780535a7b967fa57a35f78c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|721d82c1182d7916f4571303f981d15204d17cbd6780535a7b967fa57a35f78c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/branched_simulation.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.computed_variables` used but never assigned in __init__: Method `__enter__` of class `BranchedSimulation` reads `self.computed_variables`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136086, "scanner": "repobility-ast-engine", "fingerprint": "7b97e7794568909e166aa6dea32c858f366527f628ce2ad715a0de0b17b34ebf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b97e7794568909e166aa6dea32c858f366527f628ce2ad715a0de0b17b34ebf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/branched_simulation.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_year` used but never assigned in __init__: Method `__getitem__` of class `USMultiYearDataset` reads `self.get_year`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136083, "scanner": "repobility-ast-engine", "fingerprint": "9eb8417985c14811ca699285acdded6038c5a33b8673fd2dba7273f5cc8302ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9eb8417985c14811ca699285acdded6038c5a33b8673fd2dba7273f5cc8302ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/data/dataset_schema.py"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.years` used but never assigned in __init__: Method `label` of class `USMultiYearDataset` reads `self.years`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136082, "scanner": "repobility-ast-engine", "fingerprint": "d43501ac6ae3c68f15f552c9d73f18e9e399ed0622d349bcc95b8e9cbfb241da", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d43501ac6ae3c68f15f552c9d73f18e9e399ed0622d349bcc95b8e9cbfb241da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/data/dataset_schema.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.years` used but never assigned in __init__: Method `name` of class `USMultiYearDataset` reads `self.years`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 136081, "scanner": "repobility-ast-engine", "fingerprint": "4909cf551f68636ed2ae7f6609d604cd169abbf1f65e02769a11cee6e32f7f60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4909cf551f68636ed2ae7f6609d604cd169abbf1f65e02769a11cee6e32f7f60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/data/dataset_schema.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 136052, "scanner": "repobility-threat-engine", "fingerprint": "95cf49deef45bec1bcc66efcb144d5a1d2bd7c963fb4a435d588c33a20caf027", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95cf49deef45bec1bcc66efcb144d5a1d2bd7c963fb4a435d588c33a20caf027"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/ssa/revenue/employer_ss_tax_income_tax_revenue.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 136051, "scanner": "repobility-threat-engine", "fingerprint": "cdf1eb73a224af6cd8c60a8888d37ddf60af51c2fb890c6d6e01c462604cdbf0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cdf1eb73a224af6cd8c60a8888d37ddf60af51c2fb890c6d6e01c462604cdbf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/ssa/revenue/employer_medicare_tax_income_tax_revenue.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 136050, "scanner": "repobility-threat-engine", "fingerprint": "970ea8c090198c71b030d48bc8d01f0c9c5f68533f002b854b6cb4137db44598", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|970ea8c090198c71b030d48bc8d01f0c9c5f68533f002b854b6cb4137db44598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/variables/gov/puf.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136045, "scanner": "repobility-threat-engine", "fingerprint": "c9d29506d3c49e5a6e9af92be8df1f268d1fdc5b3a744bcab7de40a8f190a614", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(self.EXECUTABLE_URL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9d29506d3c49e5a6e9af92be8df1f268d1fdc5b3a744bcab7de40a8f190a614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/taxsim/generate_taxsim_tests.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 136039, "scanner": "repobility-threat-engine", "fingerprint": "3b0b82bafea67db48879c31f41d94e623786ce8be693dd3305d04bd215ade60b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b0b82bafea67db48879c31f41d94e623786ce8be693dd3305d04bd215ade60b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/taxsim/generate_taxsim_tests.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 136038, "scanner": "repobility-threat-engine", "fingerprint": "f3a6b2e61fb34ea8fa1087135c9bdd65d38a6854ce1194117620f0b7f16043d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3a6b2e61fb34ea8fa1087135c9bdd65d38a6854ce1194117620f0b7f16043d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/geography/download_50_state_census_block_data.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 136036, "scanner": "repobility-threat-engine", "fingerprint": "a7f2d342c437d094c9cbe6c59a551ec7879ce71c878f81e600bf2b2f189d4787", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7f2d342c437d094c9cbe6c59a551ec7879ce71c878f81e600bf2b2f189d4787"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/ssa/trustees_core_thresholds.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136030, "scanner": "repobility-threat-engine", "fingerprint": "d76d13b40bc2e755dcd8e4f36635698af378ed0021c1cf63fe4b1c252785c479", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "parameter.update(\n            period=f\"year:{year}-01-01:1\",\n            value=value,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d76d13b40bc2e755dcd8e4f36635698af378ed0021c1cf63fe4b1c252785c479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/ssa/trustees_core_thresholds.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136029, "scanner": "repobility-threat-engine", "fingerprint": "d5ee946369322ed9db2472a314ba762ccd450b93e6c209aae213b5acaf1b342d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "nawi.update(period=f\"year:{year}-01-01:1\", value=value)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5ee946369322ed9db2472a314ba762ccd450b93e6c209aae213b5acaf1b342d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/reforms/ssa/trustees_2025.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136028, "scanner": "repobility-threat-engine", "fingerprint": "d4b73fbd9605f479e44fb63116d4ff1be721a0e900633621f7b59066711e9345", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "digest.update(b\"\\0\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d4b73fbd9605f479e44fb63116d4ff1be721a0e900633621f7b59066711e9345"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/build_metadata.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 136027, "scanner": "repobility-threat-engine", "fingerprint": "3659c00a2d9bd1e3eb74e901f9adb1779756866b03025894242d5e6cc704807b", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'^version\\s*=\\s*\"(\\d+\\.\\d+\\.\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|.github/bump_version.py|10|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/bump_version.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: Multi-line `run: |` block interpolates ${{ github.head_ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 136162, "scanner": "repobility-supply-chain", "fingerprint": "d7723417f988881840c1a40c06650e4546bbf7ddf6c776cb7e39f769a171966b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7723417f988881840c1a40c06650e4546bbf7ddf6c776cb7e39f769a171966b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 136161, "scanner": "repobility-supply-chain", "fingerprint": "76804adf89a10b7c5367d442320f2ad5576b4df56bca1913de3cfab25a1c2a39", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76804adf89a10b7c5367d442320f2ad5576b4df56bca1913de3cfab25a1c2a39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 136085, "scanner": "repobility-ast-engine", "fingerprint": "fcb19cc967ec14c0849fd3cd6bbd12819698f2ce178cdceaa2006256fb4f3004", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fcb19cc967ec14c0849fd3cd6bbd12819698f2ce178cdceaa2006256fb4f3004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "policyengine_us/tools/add_plotly_to_book.py"}, "region": {"startLine": 21}}}]}]}]}