{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.", "shortDescription": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.", "shortDescription": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (45,633 bytes) committed to a repo that otherwise has 206 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `gradle/actions/dependency-submission` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `gradle/actions/dependency-submission` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: gradle/actions/dependency-submission@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/915"}, "properties": {"repository": "termux/termux-app", "repoUrl": "https://github.com/termux/termux-app", "branch": "master"}, "results": [{"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 85879, "scanner": "repobility-threat-engine", "fingerprint": "1c56ae3df948a7567cf7d5ff15501d0226ebecceb568301ef3471fef59372616", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|111|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "terminal-emulator/src/main/jni/termux.c"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 85870, "scanner": "repobility-threat-engine", "fingerprint": "d14f85916cedaeea5287aeda7d377dabdf38515a5c0716aff1d6e061ca0c9a11", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Failed to get \" + methodName + \"() method of \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d14f85916cedaeea5287aeda7d377dabdf38515a5c0716aff1d6e061ca0c9a11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/android/SELinuxUtils.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 85869, "scanner": "repobility-threat-engine", "fingerprint": "9c60371a245bf9146f8913955b21b37777d30d8f16fda8ac147b90848ddbd8d5", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" ActivityManager \" + KEY_MAX_PHANTOM_PROCESSES + \" Command\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c60371a245bf9146f8913955b21b37777d30d8f16fda8ac147b90848ddbd8d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/android/PhantomProcessUtils.java"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 85868, "scanner": "repobility-threat-engine", "fingerprint": "c9b9b65a41dc5171b2fb3d11ba617bcaa6e19f4ac6c2331114a295f3059cab6e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Open file request received from \" + callingPackageName + \" for \\\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9b9b65a41dc5171b2fb3d11ba617bcaa6e19f4ac6c2331114a295f3059cab6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/TermuxOpenReceiver.java"}, "region": {"startLine": 206}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85850, "scanner": "repobility-ai-code-hygiene", "fingerprint": "526c7d9d561071a478180823c9584381ce923741a4441c5d5bb143b7e5a6fce0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "termux-shared/src/main/java/com/termux/shared/termux/terminal/TermuxTerminalSessionClientBase.java", "duplicate_line": 40, "correlation_key": "fp|526c7d9d561071a478180823c9584381ce923741a4441c5d5bb143b7e5a6fce0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/termux/terminal/TermuxTerminalViewClientBase.java"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85849, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73dbbe66667b63067ef51f72ccde8c0d9239f2a67c870f89fe87a62a24b7ae17", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "termux-shared/src/main/java/com/termux/shared/termux/crash/TermuxCrashUtils.java", "duplicate_line": 179, "correlation_key": "fp|73dbbe66667b63067ef51f72ccde8c0d9239f2a67c870f89fe87a62a24b7ae17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/termux/plugins/TermuxPluginUtils.java"}, "region": {"startLine": 188}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85848, "scanner": "repobility-ai-code-hygiene", "fingerprint": "81eb9be397a4445d597dc3d636c87e46be6faadb352a24f43805c9a06c67d15b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "termux-shared/src/main/java/com/termux/shared/shell/command/ExecutionCommand.java", "duplicate_line": 155, "correlation_key": "fp|81eb9be397a4445d597dc3d636c87e46be6faadb352a24f43805c9a06c67d15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/shell/command/result/ResultData.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85847, "scanner": "repobility-ai-code-hygiene", "fingerprint": "735f1e88ffc4e4d34bd7a63aa08166485338ed2d7fdef8f82c58d8ee81c25e5b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "terminal-emulator/src/main/java/com/termux/terminal/Logger.java", "duplicate_line": 49, "correlation_key": "fp|735f1e88ffc4e4d34bd7a63aa08166485338ed2d7fdef8f82c58d8ee81c25e5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/logger/Logger.java"}, "region": {"startLine": 206}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85846, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df3601ff765ba17357fed2d873c6494f556ca85dc87e2e885b11feec9b730ba6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "termux-shared/src/main/java/com/termux/shared/activities/ReportActivity.java", "duplicate_line": 53, "correlation_key": "fp|df3601ff765ba17357fed2d873c6494f556ca85dc87e2e885b11feec9b730ba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/activities/TextIOActivity.java"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85845, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b6de4186bb2e6ae565cd3f460b506238497555ca9638ee2bf7904e2ec964b357", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/termux/app/fragments/settings/termux_api/DebuggingPreferencesFragment.java", "duplicate_line": 48, "correlation_key": "fp|b6de4186bb2e6ae565cd3f460b506238497555ca9638ee2bf7904e2ec964b357"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/fragments/settings/termux_widget/DebuggingPreferencesFragment.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85844, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42acb7b2fd3bc411f7aad74ea4c4a95bc3d2a55b7e31f428bc75efb5f4c61f32", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/termux/app/fragments/settings/termux/DebuggingPreferencesFragment.java", "duplicate_line": 56, "correlation_key": "fp|42acb7b2fd3bc411f7aad74ea4c4a95bc3d2a55b7e31f428bc75efb5f4c61f32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/fragments/settings/termux_widget/DebuggingPreferencesFragment.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85843, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89b68e6acc4d8598f0bc7b36b4c83286cdbb40bb5c0785851572b9223f9a5885", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/termux/app/fragments/settings/termux_api/DebuggingPreferencesFragment.java", "duplicate_line": 48, "correlation_key": "fp|89b68e6acc4d8598f0bc7b36b4c83286cdbb40bb5c0785851572b9223f9a5885"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/fragments/settings/termux_tasker/DebuggingPreferencesFragment.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85842, "scanner": "repobility-ai-code-hygiene", "fingerprint": "305181f73e349672a8c326df9309791baada72d8f788d11f296b6d371ccb1e07", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/termux/app/fragments/settings/termux/DebuggingPreferencesFragment.java", "duplicate_line": 56, "correlation_key": "fp|305181f73e349672a8c326df9309791baada72d8f788d11f296b6d371ccb1e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/fragments/settings/termux_tasker/DebuggingPreferencesFragment.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85841, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a00cd6a539fb3c9644d5731f0741f1ec0ecb44b13c679645a1574ee9fde1bdb9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/termux/app/fragments/settings/termux_api/DebuggingPreferencesFragment.java", "duplicate_line": 48, "correlation_key": "fp|a00cd6a539fb3c9644d5731f0741f1ec0ecb44b13c679645a1574ee9fde1bdb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/fragments/settings/termux_float/DebuggingPreferencesFragment.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85840, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8dc9e8b5272a8a56230f3bca767635c81cef5f95229274fbdb8ecb68758ba7a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/termux/app/fragments/settings/termux/DebuggingPreferencesFragment.java", "duplicate_line": 56, "correlation_key": "fp|c8dc9e8b5272a8a56230f3bca767635c81cef5f95229274fbdb8ecb68758ba7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/fragments/settings/termux_float/DebuggingPreferencesFragment.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85839, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c910c2ed33c79c6bc84ba3bfd2331a1fa79c2f3456d2be47ec5401cf197ebba7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/termux/app/fragments/settings/termux/DebuggingPreferencesFragment.java", "duplicate_line": 56, "correlation_key": "fp|c910c2ed33c79c6bc84ba3bfd2331a1fa79c2f3456d2be47ec5401cf197ebba7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/fragments/settings/termux_api/DebuggingPreferencesFragment.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 85881, "scanner": "repobility-threat-engine", "fingerprint": "f8f9004197c0bef1024a9e5daa33318e2205a62022d8a7fcd69cd878d492d379", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|74|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/termux/settings/preferences/TermuxWidgetAppSharedPreferences.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 85880, "scanner": "repobility-threat-engine", "fingerprint": "2f0a25c229e4441df5de038b287b51e85b7f4a4126d0d56366786a536d6edfd7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f0a25c229e4441df5de038b287b51e85b7f4a4126d0d56366786a536d6edfd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/interact/MessageDialogUtils.java"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 85878, "scanner": "repobility-threat-engine", "fingerprint": "052360d74eb10f0d90c5bfe4e71c530cb5eb261e040de348b0c3f70b0cb4eb2c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|052360d74eb10f0d90c5bfe4e71c530cb5eb261e040de348b0c3f70b0cb4eb2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "terminal-emulator/src/main/java/com/termux/terminal/Logger.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 85877, "scanner": "repobility-threat-engine", "fingerprint": "0760ac047e70a47326e2b2a5ca20c578c9617ad442025f093f60fb39166b6676", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0760ac047e70a47326e2b2a5ca20c578c9617ad442025f093f60fb39166b6676"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/net/socket/local/LocalServerSocket.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 85876, "scanner": "repobility-threat-engine", "fingerprint": "e510d2704ac7c5e53f1f29828d487b0948f190753a7a8b83f89ac2be54a15697", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e510d2704ac7c5e53f1f29828d487b0948f190753a7a8b83f89ac2be54a15697"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/activities/SettingsActivity.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 85875, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 85871, "scanner": "repobility-threat-engine", "fingerprint": "210b9a03c31e13da90d22960eccce857cdcb6cc5e7b1743557068c7b664a66b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|210b9a03c31e13da90d22960eccce857cdcb6cc5e7b1743557068c7b664a66b1"}}}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85874, "scanner": "repobility-threat-engine", "fingerprint": "7c45ef6c5b9cb6fe4f95c183b185be9fa8b0d7c75371623244397cec80aa0384", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c45ef6c5b9cb6fe4f95c183b185be9fa8b0d7c75371623244397cec80aa0384"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "termux-shared/src/main/java/com/termux/shared/interact/ShareUtils.java"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85873, "scanner": "repobility-threat-engine", "fingerprint": "d39c58ebc47599d69187cb07801d6f7c951372046330e8c1cc92a53693e9e311", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d39c58ebc47599d69187cb07801d6f7c951372046330e8c1cc92a53693e9e311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/activities/SettingsActivity.java"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85872, "scanner": "repobility-threat-engine", "fingerprint": "1035ea3c64b1bd34c02b504d5de73f4e4925adb0dea8a3c76bffc6847f6217df", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(T", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1035ea3c64b1bd34c02b504d5de73f4e4925adb0dea8a3c76bffc6847f6217df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/termux/app/activities/HelpActivity.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 85867, "scanner": "repobility-supply-chain", "fingerprint": "e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/dependency-submission` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 85866, "scanner": "repobility-supply-chain", "fingerprint": "e87125f52871c26e107127b583d35f89ca2b7cc083cc473ec97bd6bba68ae0d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e87125f52871c26e107127b583d35f89ca2b7cc083cc473ec97bd6bba68ae0d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependency-submission.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 85865, "scanner": "repobility-supply-chain", "fingerprint": "74460d8be68a980915829d7d5febd8c7530215064eba79a0ac921ac1af76fa1f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74460d8be68a980915829d7d5febd8c7530215064eba79a0ac921ac1af76fa1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependency-submission.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85864, "scanner": "repobility-supply-chain", "fingerprint": "da0e4047b67c027e1cddb8eddff4d26524167d49feefa3d92142cc9f457c0b16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da0e4047b67c027e1cddb8eddff4d26524167d49feefa3d92142cc9f457c0b16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependency-submission.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 85863, "scanner": "repobility-supply-chain", "fingerprint": "2622cadbc9d884f35eae5771b435908d38f0bdc81ef273cb7828519109647192", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2622cadbc9d884f35eae5771b435908d38f0bdc81ef273cb7828519109647192"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_tests.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85862, "scanner": "repobility-supply-chain", "fingerprint": "b321bfa64259500dc1020bef2f7bc38c5576decc32fd2c5d7d4c1183a319612c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b321bfa64259500dc1020bef2f7bc38c5576decc32fd2c5d7d4c1183a319612c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_tests.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85861, "scanner": "repobility-supply-chain", "fingerprint": "b62a277205bab5acc419c3fba2b25af78261d7e61846cf85ecb620de5d2fef74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b62a277205bab5acc419c3fba2b25af78261d7e61846cf85ecb620de5d2fef74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug_build.yml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85860, "scanner": "repobility-supply-chain", "fingerprint": "46899c3a31f6d7db77724a284aae2a8c2021069ed7d882b19ac7e496b6d25a74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46899c3a31f6d7db77724a284aae2a8c2021069ed7d882b19ac7e496b6d25a74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug_build.yml"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85859, "scanner": "repobility-supply-chain", "fingerprint": "c4567be3c3cd2491be0bf04bed04f5b6b8e76b2435738f02c0fc44b05e7dd2e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4567be3c3cd2491be0bf04bed04f5b6b8e76b2435738f02c0fc44b05e7dd2e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug_build.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85858, "scanner": "repobility-supply-chain", "fingerprint": "41469e9e265ebac0b8646b507351dc73275c3fc67f5f05768ac6f8516e223e9c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41469e9e265ebac0b8646b507351dc73275c3fc67f5f05768ac6f8516e223e9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug_build.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85857, "scanner": "repobility-supply-chain", "fingerprint": "d5127a68c51275e66664bb8c5807ee58526bec9755c60acbea787ffeb8a90805", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5127a68c51275e66664bb8c5807ee58526bec9755c60acbea787ffeb8a90805"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug_build.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85856, "scanner": "repobility-supply-chain", "fingerprint": "36b3890858150189ca20b7432867129cba3ef74be3c9cfdf5ac4bdc31e8ff183", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36b3890858150189ca20b7432867129cba3ef74be3c9cfdf5ac4bdc31e8ff183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug_build.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 85855, "scanner": "repobility-supply-chain", "fingerprint": "ecb46d02be8cf9e8dca56178ec156afa2604f8fbd502ed847ba1ec90d7fdc572", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecb46d02be8cf9e8dca56178ec156afa2604f8fbd502ed847ba1ec90d7fdc572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug_build.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85854, "scanner": "repobility-supply-chain", "fingerprint": "b477a87eb394004e85c9969cfe7ccdf0009e699bf0902601b83ddce19b59cd73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b477a87eb394004e85c9969cfe7ccdf0009e699bf0902601b83ddce19b59cd73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug_build.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85853, "scanner": "repobility-supply-chain", "fingerprint": "00936322de4709a10d2d9cf577a45e9dc079b5aa8481feb6c8b6f0c64093109e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|00936322de4709a10d2d9cf577a45e9dc079b5aa8481feb6c8b6f0c64093109e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/attach_debug_apks_to_release.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/wrapper-validation` pinned to mutable ref `@5`"}, "properties": {"repobilityId": 85852, "scanner": "repobility-supply-chain", "fingerprint": "d97f768045469f74f4a3f4ce1a029c45c645a231711509858b9f224c20fc121e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d97f768045469f74f4a3f4ce1a029c45c645a231711509858b9f224c20fc121e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-wrapper-validation.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 85851, "scanner": "repobility-supply-chain", "fingerprint": "842a465221bd12bf19ee262cf5d50d72853476f37517a832ecfd80a2ef0458cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|842a465221bd12bf19ee262cf5d50d72853476f37517a832ecfd80a2ef0458cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-wrapper-validation.yml"}, "region": {"startLine": 18}}}]}]}]}