{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 14 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 14."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC075", "name": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from", "shortDescription": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "fullDescription": {"text": "Add `HEALTHCHECK CMD curl -f http://localhost:PORT/health || exit 1`."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workfl", "shortDescription": {"text": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise ("}, "fullDescription": {"text": "Replace with: `uses: actions/deploy-pages@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.subTest` used but never assigned in __init__: Method `test_production_files_rejected` of class `IsTestP", "shortDescription": {"text": "[MINED108] `self.subTest` used but never assigned in __init__: Method `test_production_files_rejected` of class `IsTestPathTests` reads `self.subTest`, but no assignment to it exists in __init__ (and no class-level fallback). This raises At"}, "fullDescription": {"text": "Initialize `self.subTest = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC069", "name": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported ", "shortDescription": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+"}, "fullDescription": {"text": "Add `RUN adduser -D app && USER app` before the CMD/ENTRYPOINT."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `", "shortDescription": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import warnings` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/940"}, "properties": {"repository": "Lum1104/Understand-Anything", "repoUrl": "https://github.com/Lum1104/Understand-Anything", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 88319, "scanner": "repobility-ast-engine", "fingerprint": "480542d74876ec92eb0526f8785a4d74a4488d1fb2cd3483633b11fc971aced8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|480542d74876ec92eb0526f8785a4d74a4488d1fb2cd3483633b11fc971aced8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/skills/understand-domain/extract-domain-context.py"}, "region": {"startLine": 422}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 88318, "scanner": "repobility-journey-contract", "fingerprint": "a348a56efa41ecfb729352bba22d78c3f45a003355f1d70e3a25fb0727453790", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|91|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/App.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 88317, "scanner": "repobility-journey-contract", "fingerprint": "967e847c25071bed59851d3af4d206808b3a48e0114470d5d291652e71126ae1", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|84|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/App.tsx"}, "region": {"startLine": 84}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 88316, "scanner": "repobility-journey-contract", "fingerprint": "ca66597fac772a5eaf341638cf317cecf8c7b2f41b4191c0c16916cf9ef464d8", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|75|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/App.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 88315, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 88314, "scanner": "repobility-agent-runtime", "fingerprint": "059d001194b68ea22a3ce1abc7f78d702762f94f8d9f0c27c905dc427f107c96", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|059d001194b68ea22a3ce1abc7f78d702762f94f8d9f0c27c905dc427f107c96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/themes/ThemeContext.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 88313, "scanner": "repobility-agent-runtime", "fingerprint": "3d64062f8abfb481ea4034598ce5902364664733bbd556c98de079b627343a1b", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3d64062f8abfb481ea4034598ce5902364664733bbd556c98de079b627343a1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.sh"}, "region": {"startLine": 12}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 88312, "scanner": "repobility-agent-runtime", "fingerprint": "b255b6aaae29eea9cb743eb403538d4086013f26104ac2c454dbe16f94de7b3f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b255b6aaae29eea9cb743eb403538d4086013f26104ac2c454dbe16f94de7b3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "READMEs/README.zh-TW.md"}, "region": {"startLine": 188}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 88311, "scanner": "repobility-agent-runtime", "fingerprint": "304c75017eba84dea3e91f900b87564e1668856333da32d7713dfcd4a645fba0", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|304c75017eba84dea3e91f900b87564e1668856333da32d7713dfcd4a645fba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "READMEs/README.zh-CN.md"}, "region": {"startLine": 188}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 88310, "scanner": "repobility-agent-runtime", "fingerprint": "8fffd240a8e636c58808ec8705fc7450f637d6c08588a2aa5a6d48460bf22de0", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8fffd240a8e636c58808ec8705fc7450f637d6c08588a2aa5a6d48460bf22de0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "READMEs/README.tr-TR.md"}, "region": {"startLine": 189}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 88309, "scanner": "repobility-agent-runtime", "fingerprint": "b26b76eb53e594e93623ac13adca8364f71b5fa833089d9c1f1ea0886b51340f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b26b76eb53e594e93623ac13adca8364f71b5fa833089d9c1f1ea0886b51340f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "READMEs/README.ru-RU.md"}, "region": {"startLine": 189}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 88308, "scanner": "repobility-agent-runtime", "fingerprint": "ab9c6d26b7970e5f859313caa14666d32d683856df2b509a34a30e11aeb038ad", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ab9c6d26b7970e5f859313caa14666d32d683856df2b509a34a30e11aeb038ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "READMEs/README.ko-KR.md"}, "region": {"startLine": 188}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 88307, "scanner": "repobility-agent-runtime", "fingerprint": "86c937dc28426429ea11147c27c2e02e3a11af1af56ff6c284e803ab832f5b02", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|86c937dc28426429ea11147c27c2e02e3a11af1af56ff6c284e803ab832f5b02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "READMEs/README.ja-JP.md"}, "region": {"startLine": 189}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 88306, "scanner": "repobility-agent-runtime", "fingerprint": "2eeeabd65aeadb57321f71536eaa35b685cdea19664065d3ad8cdb709454d3be", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2eeeabd65aeadb57321f71536eaa35b685cdea19664065d3ad8cdb709454d3be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "READMEs/README.es-ES.md"}, "region": {"startLine": 188}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 88305, "scanner": "repobility-agent-runtime", "fingerprint": "a652f9414684931b2afcbf8dcacf60094d23720ab55cfce39571122e762b8f4d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a652f9414684931b2afcbf8dcacf60094d23720ab55cfce39571122e762b8f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 88275, "scanner": "repobility-threat-engine", "fingerprint": "d2341569c1a69f77c9dc74a7f91b25029739daf94915aeec8a95b6f0095218f0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|27|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/markdown-parser.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 88274, "scanner": "repobility-threat-engine", "fingerprint": "9e4a184be1446ccc35a065e70bc77ce3122e9d1056f46247b8c452c9f0e50abf", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|92|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/json-parser.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 88273, "scanner": "repobility-threat-engine", "fingerprint": "3d949c807dc700c6b605d365930dc5ef29e9f818d53ecd7bb6501bf4151f2486", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|31|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/graphql-parser.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88304, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d44be63c797c1fe27f46d9df9b2225b7620e5e269abad9a50856a81797f28481", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/dashboard/vite.config.demo.ts", "duplicate_line": 26, "correlation_key": "fp|d44be63c797c1fe27f46d9df9b2225b7620e5e269abad9a50856a81797f28481"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/vite.config.ts"}, "region": {"startLine": 185}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88303, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3237a7420543bcfbb146bae65fef6399daa4ac6e1583bb71717ad8c3b87d43da", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/dashboard/src/components/NodeInfo.tsx", "duplicate_line": 6, "correlation_key": "fp|3237a7420543bcfbb146bae65fef6399daa4ac6e1583bb71717ad8c3b87d43da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/components/SearchBar.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88302, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8eaa13d57f441d2124047dcc09862149548db5564e622a2a6622c43aa302e4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/parsers/json-parser.ts", "duplicate_line": 80, "correlation_key": "fp|c8eaa13d57f441d2124047dcc09862149548db5564e622a2a6622c43aa302e4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/yaml-parser.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88301, "scanner": "repobility-ai-code-hygiene", "fingerprint": "246c42caae3042fb19fa1c40eaad5089f7b60a72fa5a88e23416aa5aa74f9d4d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/parsers/toml-parser.ts", "duplicate_line": 5, "correlation_key": "fp|246c42caae3042fb19fa1c40eaad5089f7b60a72fa5a88e23416aa5aa74f9d4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/yaml-parser.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23d60439c04e77e1704409d75d9089742c87c7951ecb2591975f23ce519bf470", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/parsers/json-parser.ts", "duplicate_line": 44, "correlation_key": "fp|23d60439c04e77e1704409d75d9089742c87c7951ecb2591975f23ce519bf470"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/markdown-parser.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "288aaa910da1c7ccb46518f808e32c0b2d6ef88368aaea9b29784cb0c28af641", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/extractors/csharp-extractor.ts", "duplicate_line": 230, "correlation_key": "fp|288aaa910da1c7ccb46518f808e32c0b2d6ef88368aaea9b29784cb0c28af641"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/typescript-extractor.ts"}, "region": {"startLine": 250}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b07299acbc8a3600f02d881347de0b686ac3f8d21a6b9694505151e148bfd61b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/extractors/python-extractor.ts", "duplicate_line": 142, "correlation_key": "fp|b07299acbc8a3600f02d881347de0b686ac3f8d21a6b9694505151e148bfd61b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/typescript-extractor.ts"}, "region": {"startLine": 208}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "839b7df01b3aded7a6e413b7fd1ff7b851e48e182cb8dd34480fdedf9050bce5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/extractors/python-extractor.ts", "duplicate_line": 137, "correlation_key": "fp|839b7df01b3aded7a6e413b7fd1ff7b851e48e182cb8dd34480fdedf9050bce5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/rust-extractor.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffefa3ee3ee9a1dc127ccb46a3d44f0a4ba3ff35136598bbfcdc408fef5206f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/extractors/cpp-extractor.ts", "duplicate_line": 89, "correlation_key": "fp|ffefa3ee3ee9a1dc127ccb46a3d44f0a4ba3ff35136598bbfcdc408fef5206f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/rust-extractor.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7131507fd9e3d71f3930a50112288cfef289d8cfc09a55f0cded268b24ef4cf2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/extractors/csharp-extractor.ts", "duplicate_line": 230, "correlation_key": "fp|7131507fd9e3d71f3930a50112288cfef289d8cfc09a55f0cded268b24ef4cf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/python-extractor.ts"}, "region": {"startLine": 180}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0bad39d0ab34116b2e24deeb5f7b6d9a015e42e51a21e97f8ea97f3e4a8a0ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/extractors/java-extractor.ts", "duplicate_line": 211, "correlation_key": "fp|c0bad39d0ab34116b2e24deeb5f7b6d9a015e42e51a21e97f8ea97f3e4a8a0ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/python-extractor.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c84287e2b296c20e58656b0d3e208a4e874971ec67eb574f509de7f8be04b8b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/extractors/go-extractor.ts", "duplicate_line": 98, "correlation_key": "fp|c84287e2b296c20e58656b0d3e208a4e874971ec67eb574f509de7f8be04b8b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/python-extractor.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "187d3683ff22d8547b126ceb182e63def4f995a2e1c8d4228cb7b73abe5b25ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/extractors/csharp-extractor.ts", "duplicate_line": 59, "correlation_key": "fp|187d3683ff22d8547b126ceb182e63def4f995a2e1c8d4228cb7b73abe5b25ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/java-extractor.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48ebe8b43500fc044dbdefcb13fffa0cb37f8bc9932718157366fe638609251c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/plugins/extractors/cpp-extractor.ts", "duplicate_line": 104, "correlation_key": "fp|48ebe8b43500fc044dbdefcb13fffa0cb37f8bc9932718157366fe638609251c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/csharp-extractor.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5d23ff2d0d5df0fe76f235104c01a11ca920eda5fb7d56d257e776e16bd23f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "understand-anything-plugin/packages/core/src/analyzer/language-lesson.ts", "duplicate_line": 115, "correlation_key": "fp|a5d23ff2d0d5df0fe76f235104c01a11ca920eda5fb7d56d257e776e16bd23f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/analyzer/llm-analyzer.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=3, if=8, nested_bonus=2."}, "properties": {"repobilityId": 88289, "scanner": "repobility-threat-engine", "fingerprint": "07a23f8cfcb8caaeecdadace366183e7c2f9553e66aa5d710a25a2d21d555fe5", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 8, "for": 3, "else": 1, "nested_bonus": 2}, "complexity": 14, "correlation_key": "fp|07a23f8cfcb8caaeecdadace366183e7c2f9553e66aa5d710a25a2d21d555fe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/skills/understand/merge-subdomain-graphs.py"}, "region": {"startLine": 235}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 88272, "scanner": "repobility-threat-engine", "fingerprint": "149615f17f70fd91092ae82bfb868af5facd73e006985d7464296f39263c9e78", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import type { AnalyzerPlugin, StructuralAnalysis, ServiceInfo, StepInfo } from \"../../types.js\";\n\n/*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|149615f17f70fd91092ae82bfb868af5facd73e006985d7464296f39263c9e78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/dockerfile-parser.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 88271, "scanner": "repobility-threat-engine", "fingerprint": "a0dc26c005620286e2b8e17b52d86627d351075aac7da0cf6af68ce26ff874ee", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import type { LanguageConfig } from \"../types.js\";\n\nexport const dockerfileConfig = {\n  id: \"dockerf", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0dc26c005620286e2b8e17b52d86627d351075aac7da0cf6af68ce26ff874ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/languages/configs/dockerfile.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 88287, "scanner": "repobility-threat-engine", "fingerprint": "500c01b8f2219c38737797504acee2a77dc5f8be9eba9e81a2099cf8d5c07f92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|500c01b8f2219c38737797504acee2a77dc5f8be9eba9e81a2099cf8d5c07f92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/skills/understand/merge-subdomain-graphs.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 88286, "scanner": "repobility-threat-engine", "fingerprint": "06b6545a676cd34c4b8eb038fae333c0c49ba4a086ac6d4872d9dec642f03678", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06b6545a676cd34c4b8eb038fae333c0c49ba4a086ac6d4872d9dec642f03678"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/components/OnboardingOverlay.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 88285, "scanner": "repobility-threat-engine", "fingerprint": "b494efd4d1de2adac5a573bd9d12f924184eb1bed65132063e8a164d5d90f873", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b494efd4d1de2adac5a573bd9d12f924184eb1bed65132063e8a164d5d90f873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/components/LearnPanel.tsx"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 88284, "scanner": "repobility-threat-engine", "fingerprint": "522c01d80bea1560a3345b8218a5ef6644f17279eeb9f27f2d6998ae76de4072", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|522c01d80bea1560a3345b8218a5ef6644f17279eeb9f27f2d6998ae76de4072"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/components/KeyboardShortcutsHelp.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 88280, "scanner": "repobility-threat-engine", "fingerprint": "f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 88276, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 88268, "scanner": "repobility-threat-engine", "fingerprint": "29579e2a4af6df15e54ac7b6768d3485c072e1347c93f2e5c5a972f11aa15fa2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|29579e2a4af6df15e54ac7b6768d3485c072e1347c93f2e5c5a972f11aa15fa2", "aggregated_count": 5}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 88267, "scanner": "repobility-threat-engine", "fingerprint": "c2725d9f56ddbcfe9b4d7756a37574db858927a44189cbfd740b2afd41833be5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2725d9f56ddbcfe9b4d7756a37574db858927a44189cbfd740b2afd41833be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/json-parser.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 88266, "scanner": "repobility-threat-engine", "fingerprint": "3024b8c09d6f663afb70c4ce0d507bfb328f40f54b971d29c4a74b26a019e833", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3024b8c09d6f663afb70c4ce0d507bfb328f40f54b971d29c4a74b26a019e833"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/extractors/go-extractor.ts"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 88265, "scanner": "repobility-threat-engine", "fingerprint": "9ba16c57d34b9ed2061bb0198ec7c50bad422d77e28f98d0ac2abd9a05b6df32", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9ba16c57d34b9ed2061bb0198ec7c50bad422d77e28f98d0ac2abd9a05b6df32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/analyzer/tour-generator.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 88264, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 88260, "scanner": "repobility-threat-engine", "fingerprint": "c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "aggregated_count": 9}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 88259, "scanner": "repobility-threat-engine", "fingerprint": "32e60d951f54f4f2265466572b7b7e63bac9c74807b83113576c0bb85eabbb4f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32e60d951f54f4f2265466572b7b7e63bac9c74807b83113576c0bb85eabbb4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/json-parser.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 88258, "scanner": "repobility-threat-engine", "fingerprint": "235631b19705500a9dd2713638a5ac57355c642d76e252b89208ff25dd3c32df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|235631b19705500a9dd2713638a5ac57355c642d76e252b89208ff25dd3c32df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/analyzer/graph-builder.ts"}, "region": {"startLine": 304}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 88257, "scanner": "repobility-threat-engine", "fingerprint": "d3037e8f33d2f06e24119695c85b4187cf80fbb770c6eaf042957c52b562a751", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3037e8f33d2f06e24119695c85b4187cf80fbb770c6eaf042957c52b562a751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate-large-graph.mjs"}, "region": {"startLine": 286}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 88256, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88353, "scanner": "repobility-supply-chain", "fingerprint": "36c26af55d9e2162a330e582364438a5eb4a624e0fade1de44a8ce766e877b61", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36c26af55d9e2162a330e582364438a5eb4a624e0fade1de44a8ce766e877b61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-homepage.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-pages-artifact` pinned to mutable ref `@v3`: `uses: actions/upload-pages-artifact@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88352, "scanner": "repobility-supply-chain", "fingerprint": "62c52996d0d57da47c7cd79061476506de1757675cce36bff3bada5d36a5cedc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62c52996d0d57da47c7cd79061476506de1757675cce36bff3bada5d36a5cedc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-homepage.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88351, "scanner": "repobility-supply-chain", "fingerprint": "59fb67285d73ef1cadc3b891994f9f29e712463db56f0342649ce8f9ab91b35a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59fb67285d73ef1cadc3b891994f9f29e712463db56f0342649ce8f9ab91b35a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-homepage.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88350, "scanner": "repobility-supply-chain", "fingerprint": "1845397e6e65dd83280ec8248df3de3e3b60f8bd88e513c95491305820c2ada0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1845397e6e65dd83280ec8248df3de3e3b60f8bd88e513c95491305820c2ada0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-homepage.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88349, "scanner": "repobility-supply-chain", "fingerprint": "729d53c749cde4da44e3d166ac048301054684b5fec8398d3b1f51aa4769cbc0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|729d53c749cde4da44e3d166ac048301054684b5fec8398d3b1f51aa4769cbc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-homepage.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88348, "scanner": "repobility-supply-chain", "fingerprint": "08bc60a61f23f5048066e3440c7efd057cf42d717df6bba046c8c9a8ba54c5a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08bc60a61f23f5048066e3440c7efd057cf42d717df6bba046c8c9a8ba54c5a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88347, "scanner": "repobility-supply-chain", "fingerprint": "8273fcda04779cbee9c0c39401556cf53d375c239b929bd8737dc26085f60870", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8273fcda04779cbee9c0c39401556cf53d375c239b929bd8737dc26085f60870"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88346, "scanner": "repobility-supply-chain", "fingerprint": "714e867a2b86405b34ff2839ab32232d37f4299693f19b35d248a2b898f4850d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|714e867a2b86405b34ff2839ab32232d37f4299693f19b35d248a2b898f4850d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.subTest` used but never assigned in __init__: Method `test_production_files_rejected` of class `IsTestPathTests` reads `self.subTest`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88345, "scanner": "repobility-ast-engine", "fingerprint": "a2107ca19a31fd0729328de857c6ecef07b8402c293045a87c2e2c4bda99128b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2107ca19a31fd0729328de857c6ecef07b8402c293045a87c2e2c4bda99128b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_c_cpp_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88344, "scanner": "repobility-ast-engine", "fingerprint": "4d7bcaac1ca03b8b61b85d4907aa2dce167b95935c09eb4ed99cd3085ca07e7f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4d7bcaac1ca03b8b61b85d4907aa2dce167b95935c09eb4ed99cd3085ca07e7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_c_cpp_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88343, "scanner": "repobility-ast-engine", "fingerprint": "165731ccb36132c552e7108f35cde003129ecd504094c4222af5e7cc5dd291f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|165731ccb36132c552e7108f35cde003129ecd504094c4222af5e7cc5dd291f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_c_cpp_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88342, "scanner": "repobility-ast-engine", "fingerprint": "08fd060ef362cb5a9022fb2d5d41ed1cc82d3655bdc21ec2e5fea9a771d940a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08fd060ef362cb5a9022fb2d5d41ed1cc82d3655bdc21ec2e5fea9a771d940a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_c_cpp_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88341, "scanner": "repobility-ast-engine", "fingerprint": "e616015cc08730f130a49e6fda98f6207d05e2d18a142bb01e322ccd9b3d1b49", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e616015cc08730f130a49e6fda98f6207d05e2d18a142bb01e322ccd9b3d1b49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_c_cpp_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88340, "scanner": "repobility-ast-engine", "fingerprint": "fb6654ea76d84738f5a076c378141d1c23922a07c48817b2fcf59f9271a4e92b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb6654ea76d84738f5a076c378141d1c23922a07c48817b2fcf59f9271a4e92b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_csharp_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88339, "scanner": "repobility-ast-engine", "fingerprint": "c9146c1db7883944d04cbb13c2cb700c5a6b1c4006ff2cca6dd67b870769452c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9146c1db7883944d04cbb13c2cb700c5a6b1c4006ff2cca6dd67b870769452c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_csharp_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88338, "scanner": "repobility-ast-engine", "fingerprint": "07968a21bdff90b874ab598111928a90561fed026eb11bd54dcc3b26db13e5a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07968a21bdff90b874ab598111928a90561fed026eb11bd54dcc3b26db13e5a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_kotlin_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88337, "scanner": "repobility-ast-engine", "fingerprint": "6c7c974774dfc3bd778e07597fb855817162a7696f54ee87011cc9d047c14594", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c7c974774dfc3bd778e07597fb855817162a7696f54ee87011cc9d047c14594"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_kotlin_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88336, "scanner": "repobility-ast-engine", "fingerprint": "e155eeff786ece4de6536871711526ca18b892260fd45f53468e6db980f3211b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e155eeff786ece4de6536871711526ca18b892260fd45f53468e6db980f3211b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_java_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88335, "scanner": "repobility-ast-engine", "fingerprint": "06660716a21251f618766b0282e5187df554dacabe885f196644ab8f6974141f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06660716a21251f618766b0282e5187df554dacabe885f196644ab8f6974141f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_java_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88334, "scanner": "repobility-ast-engine", "fingerprint": "2a902da46853b99fb9ac34655f7a1c7add6478722a6cee618d74cfa62c98b1cf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a902da46853b99fb9ac34655f7a1c7add6478722a6cee618d74cfa62c98b1cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_java_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88333, "scanner": "repobility-ast-engine", "fingerprint": "47ed09c27e2cef7fa3147119944684486cd012c0f8a203900d8ddc7f607eb6f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|47ed09c27e2cef7fa3147119944684486cd012c0f8a203900d8ddc7f607eb6f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_python_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88332, "scanner": "repobility-ast-engine", "fingerprint": "2fc5cd1c89d35587defccbe3f8cde2030dc38c06ed9a153a4686b1219e7584d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2fc5cd1c89d35587defccbe3f8cde2030dc38c06ed9a153a4686b1219e7584d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_python_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88331, "scanner": "repobility-ast-engine", "fingerprint": "0c8e25ee53dc8f4ce598a81fb0ffc8c8bb45f245581159281a6d6474d32c423e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c8e25ee53dc8f4ce598a81fb0ffc8c8bb45f245581159281a6d6474d32c423e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_python_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88330, "scanner": "repobility-ast-engine", "fingerprint": "f0d6dc8f82c02875235dd79ec2e691140660bc6b3b9d3875bc6c15ab831d9b71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f0d6dc8f82c02875235dd79ec2e691140660bc6b3b9d3875bc6c15ab831d9b71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_go_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88329, "scanner": "repobility-ast-engine", "fingerprint": "42671bab9ad5ea433a71b37049cff5dce54a43a9b1c4208e4ee1189a6610ceae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|42671bab9ad5ea433a71b37049cff5dce54a43a9b1c4208e4ee1189a6610ceae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_go_test_files` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88328, "scanner": "repobility-ast-engine", "fingerprint": "922d3f4bf7e2e5e7665d8031b458b326481471e5648eedb753c46c427e2d9f1a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|922d3f4bf7e2e5e7665d8031b458b326481471e5648eedb753c46c427e2d9f1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_tests_directory_with_test_extension` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88327, "scanner": "repobility-ast-engine", "fingerprint": "5c839ce03ee605948b9a65e34bd9bce5eee7baf4f1b3cdc792e090901cd8e8b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5c839ce03ee605948b9a65e34bd9bce5eee7baf4f1b3cdc792e090901cd8e8b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_tests_directory_with_test_extension` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88326, "scanner": "repobility-ast-engine", "fingerprint": "ce084a15bf3c692e65839852029357b61227e43f3d83175a23fcc2fbe1e9a58d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce084a15bf3c692e65839852029357b61227e43f3d83175a23fcc2fbe1e9a58d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_tests_directory_with_test_extension` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88325, "scanner": "repobility-ast-engine", "fingerprint": "b117a6b250933680dcb8eb076d44d7ee547a6b388b9fae8fcb80e3a09c02639d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b117a6b250933680dcb8eb076d44d7ee547a6b388b9fae8fcb80e3a09c02639d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_underscore_test_dir_with_test_extension` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88324, "scanner": "repobility-ast-engine", "fingerprint": "9490197747884a208e5dae5c1c3b6ca3c979bfad81983438641aac6476cdb489", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9490197747884a208e5dae5c1c3b6ca3c979bfad81983438641aac6476cdb489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_underscore_test_dir_with_test_extension` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88323, "scanner": "repobility-ast-engine", "fingerprint": "db73d938b0dc7a8ed16fe1d73480a0c881ffa72592425113c328832fa58bf768", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|db73d938b0dc7a8ed16fe1d73480a0c881ffa72592425113c328832fa58bf768"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_js_ts_sibling_test_extensions` of class `IsTestPathTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88322, "scanner": "repobility-ast-engine", "fingerprint": "0baba5107433eea1288f91b95617290670f4505b0f9b83b0f5ca361cd2d0c097", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0baba5107433eea1288f91b95617290670f4505b0f9b83b0f5ca361cd2d0c097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.subTest` used but never assigned in __init__: Method `test_js_ts_sibling_test_extensions` of class `IsTestPathTests` reads `self.subTest`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 88321, "scanner": "repobility-ast-engine", "fingerprint": "8286b9895dd107a23208669d60deb5e2acb17a74d471213eabcc47bdb64b7d83", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8286b9895dd107a23208669d60deb5e2acb17a74d471213eabcc47bdb64b7d83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/skill/understand/test_merge_batch_graphs.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `merge_graphs` has cognitive complexity 92 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, else=4, for=17, if=23, nested_bonus=44, or=1, ternary=2."}, "properties": {"repobilityId": 88288, "scanner": "repobility-threat-engine", "fingerprint": "0ed0974a5b57e95a9884244aacf6bd6734ff897740c6e862a9746a3504173a4b", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 92 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "merge_graphs", "breakdown": {"if": 23, "or": 1, "for": 17, "else": 4, "ternary": 2, "continue": 1, "nested_bonus": 44}, "complexity": 92, "correlation_key": "fp|0ed0974a5b57e95a9884244aacf6bd6734ff897740c6e862a9746a3504173a4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/skills/understand/merge-subdomain-graphs.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88283, "scanner": "repobility-threat-engine", "fingerprint": "a12977f0cc7720a08fc0dfa398455809d1f03947f922cd9a346b318254085aa0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "newTypes.delete(type);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a12977f0cc7720a08fc0dfa398455809d1f03947f922cd9a346b318254085aa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/components/FilterPanel.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88282, "scanner": "repobility-threat-engine", "fingerprint": "b62eb4574ac57337a150c695756e5da57fed26f4a64f7d3474c4f39834ca1399", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(folderPath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b62eb4574ac57337a150c695756e5da57fed26f4a64f7d3474c4f39834ca1399"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/components/FileExplorer.tsx"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88281, "scanner": "repobility-threat-engine", "fingerprint": "7b8b108cd3b1bdbe61106667791797ad63db588287888ecfc0faf33f1e1fc762", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "parser.delete();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b8b108cd3b1bdbe61106667791797ad63db588287888ecfc0faf33f1e1fc762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/tree-sitter-plugin.ts"}, "region": {"startLine": 232}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 88279, "scanner": "repobility-threat-engine", "fingerprint": "8a99b01bf4f6fea5fe059dfe7f6c5b481ee64e9aff07c4634099400faf4ed662", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8a99b01bf4f6fea5fe059dfe7f6c5b481ee64e9aff07c4634099400faf4ed662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/markdown-parser.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 88278, "scanner": "repobility-threat-engine", "fingerprint": "d5c0dd6cf146cc3ab0fbd08d23c9f12c7e41be315d3ec6b8046434c0e2e5a730", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5c0dd6cf146cc3ab0fbd08d23c9f12c7e41be315d3ec6b8046434c0e2e5a730"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/json-parser.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 88277, "scanner": "repobility-threat-engine", "fingerprint": "725c6e175553ca05186aa5c65e4f5310b8cc817f2aa388a8b5528a86142b946b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|725c6e175553ca05186aa5c65e4f5310b8cc817f2aa388a8b5528a86142b946b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/graphql-parser.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 88270, "scanner": "repobility-threat-engine", "fingerprint": "d29d324673fdc58ea4e97b6a49d54127452eab1cd1377196799e3a8d19a08a42", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import type { AnalyzerPlugin, StructuralAnalysis, ServiceInfo, StepInfo } from \"../../types.js\";\n\n/*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d29d324673fdc58ea4e97b6a49d54127452eab1cd1377196799e3a8d19a08a42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/plugins/parsers/dockerfile-parser.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 88269, "scanner": "repobility-threat-engine", "fingerprint": "ac84ecc9f8ee6c49196239df1fa201184ad02549cffee458467a48f022fa8f0b", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import type { LanguageConfig } from \"../types.js\";\n\nexport const dockerfileConfig = {\n  id: \"dockerf", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ac84ecc9f8ee6c49196239df1fa201184ad02549cffee458467a48f022fa8f0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/languages/configs/dockerfile.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 88263, "scanner": "repobility-threat-engine", "fingerprint": "fe3cf6cc29d15611af21d8b78e308a0ac9d6c33411b9a57a12ddac47eb5af6a2", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((f) => `  - ${f}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fe3cf6cc29d15611af21d8b78e308a0ac9d6c33411b9a57a12ddac47eb5af6a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/analyzer/llm-analyzer.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 88262, "scanner": "repobility-threat-engine", "fingerprint": "12bc934489e072d47183d800211873f45545c2235ff01d845ebd1eb7415a3ba8", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((f) => `  - ${f}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12bc934489e072d47183d800211873f45545c2235ff01d845ebd1eb7415a3ba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/analyzer/layer-detector.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 88261, "scanner": "repobility-threat-engine", "fingerprint": "92425b49ab321f45cdb58d898bf76815dcf4b628f96fefe85e30fd2066d28a65", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((c) => `  - ${c}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92425b49ab321f45cdb58d898bf76815dcf4b628f96fefe85e30fd2066d28a65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/core/src/analyzer/language-lesson.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88255, "scanner": "repobility-threat-engine", "fingerprint": "730f97c627febcc3ae98c62970aa6a1987b13fcac8217c72afe80105270bd042", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|730f97c627febcc3ae98c62970aa6a1987b13fcac8217c72afe80105270bd042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/components/ExportMenu.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88254, "scanner": "repobility-threat-engine", "fingerprint": "e20732bb08447ed8798e99b192c62b2911507b139321e5fc938b1d2529e88bde", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e20732bb08447ed8798e99b192c62b2911507b139321e5fc938b1d2529e88bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/packages/dashboard/src/components/CodeViewer.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88253, "scanner": "repobility-threat-engine", "fingerprint": "7443afa2b3ae88a65b7fd0edd091bd6989e1f3c9f9757715f05c07afe7df2f4f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7443afa2b3ae88a65b7fd0edd091bd6989e1f3c9f9757715f05c07afe7df2f4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.sh"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 88320, "scanner": "repobility-ast-engine", "fingerprint": "ceb561f09283950bac04136a2dd794a70130496226ffa6db10f1f14252b93f7c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ceb561f09283950bac04136a2dd794a70130496226ffa6db10f1f14252b93f7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "understand-anything-plugin/skills/understand-knowledge/parse-knowledge-base.py"}, "region": {"startLine": 403}}}]}]}]}