{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR015", "name": "Docker build context is very large", "shortDescription": {"text": "Docker build context is very large"}, "fullDescription": {"text": "Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `jackson_format` has cognitive complexity 23 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `jackson_format` has cognitive complexity 23 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 23."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Remove generated output from version control, add it to .gitignore and .dockerignore where relevant, and regenerate it in CI or release jobs."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 9 more): Same pattern found in 9 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 39 more): Same pattern found in 39 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.mvn/wrapper/maven-wrapper.jar` is a ", "shortDescription": {"text": "[MINED134] Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.mvn/wrapper/maven-wrapper.jar` is a .jar binary (63,093 bytes) committed to a repo that otherwise has 25292 source files. Trojan binaries inside otherwise-n"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at work", "shortDescription": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise"}, "fullDescription": {"text": "Replace with: `uses: actions/github-script@<40-char-sha>  # v9` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mirror.gcr.io/fedora:43` not pinned by digest: `FROM mirror.gcr.io/fedora:43` resolves the t", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mirror.gcr.io/fedora:43` not pinned by digest: `FROM mirror.gcr.io/fedora:43` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. "}, "fullDescription": {"text": "Replace with: `FROM mirror.gcr.io/fedora:43@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.check_image_versions` used but never assigned in __init__: Method `run_check` of class `ContainerVersio", "shortDescription": {"text": "[MINED108] `self.check_image_versions` used but never assigned in __init__: Method `run_check` of class `ContainerVersionChecker` reads `self.check_image_versions`, but no assignment to it exists in __init__ (and no class-level fallback). T"}, "fullDescription": {"text": "Initialize `self.check_image_versions = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR004", "name": "Docker build secret exposed through ARG", "shortDescription": {"text": "Docker build secret exposed through ARG"}, "fullDescription": {"text": "Replace secret ARG usage with `RUN --mount=type=secret,id=name ...` and pass the value with `docker build --secret`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC111", "name": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Cal", "shortDescription": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "fullDescription": {"text": "Use `django.utils.html.format_html(\"<p>{}</p>\", user_input)` \u2014 Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1016"}, "properties": {"repository": "apache/camel", "repoUrl": "https://github.com/apache/camel", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 95341, "scanner": "repobility-ast-engine", "fingerprint": "4a0cc565123ca3c838314a1124cc6a46b6c86dbd566dc5311f0ae85d4e5ea728", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4a0cc565123ca3c838314a1124cc6a46b6c86dbd566dc5311f0ae85d4e5ea728"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 917}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 95340, "scanner": "repobility-ast-engine", "fingerprint": "a89a7013e7cd3756def8842f4fb50e47a05437f8afac27875553aeb24e01138f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a89a7013e7cd3756def8842f4fb50e47a05437f8afac27875553aeb24e01138f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 823}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 95339, "scanner": "repobility-ast-engine", "fingerprint": "e7e91ebc96c432b84312da2779e04cc5ca0ca0ebd894faa3304aa649451dda86", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e7e91ebc96c432b84312da2779e04cc5ca0ca0ebd894faa3304aa649451dda86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 1173}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 95314, "scanner": "repobility-ast-engine", "fingerprint": "630ea315320a7b668cc30477eb7b06c9a9ee7235318aa82d8dedcd4d48d0ba0e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|630ea315320a7b668cc30477eb7b06c9a9ee7235318aa82d8dedcd4d48d0ba0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ocsf/src/main/script/generate-ocsf-schemas.py"}, "region": {"startLine": 667}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 95313, "scanner": "repobility-ast-engine", "fingerprint": "44c8ef7669c3dd30be12f937ae1add341be63337ec9a6e4b34558fd6ee800395", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44c8ef7669c3dd30be12f937ae1add341be63337ec9a6e4b34558fd6ee800395"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ocsf/src/main/script/generate-ocsf-schemas.py"}, "region": {"startLine": 586}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 95312, "scanner": "repobility-ast-engine", "fingerprint": "f1a130560a82483cd514e23050cb94961b1b893868e3d91328d37758bd81bb3e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1a130560a82483cd514e23050cb94961b1b893868e3d91328d37758bd81bb3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ocsf/src/main/script/generate-ocsf-schemas.py"}, "region": {"startLine": 504}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 95311, "scanner": "repobility-ast-engine", "fingerprint": "5a7c527bd1489b52583ab7b83f42d9a1afb7d08c48c446954dcfeddd8ad1a6c4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a7c527bd1489b52583ab7b83f42d9a1afb7d08c48c446954dcfeddd8ad1a6c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ocsf/src/main/script/generate-ocsf-schemas.py"}, "region": {"startLine": 442}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 95310, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Quarkus"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 95309, "scanner": "repobility-docker", "fingerprint": "12fe4b6e0d1f5578fffdf9ce01c65c74ae78d43e0dce474f5fd8cf65e0312e92", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mirror.gcr.io/fedora:43", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|12fe4b6e0d1f5578fffdf9ce01c65c74ae78d43e0dce474f5fd8cf65e0312e92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-infra/camel-test-infra-smb/src/main/resources/org/apache/camel/test/infra/smb/services/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 95302, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR015", "level": "warning", "message": {"text": "Docker build context is very large"}, "properties": {"repobilityId": 95301, "scanner": "repobility-docker", "fingerprint": "b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Estimated Docker build context exceeds Repobility's size or file-count threshold.", "evidence": {"capped": false, "rule_id": "DKR015", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "largest_paths": [{"path": ".git/objects/pack/pack-4d6cda5f51019c3f10ce5b910e13ae0dc803f425.pack", "size_mb": 36.8}, {"path": ".git/objects/pack/pack-90a0a3849e9782d9841798c4f99db61c1bc4d966.pack", "size_mb": 12.4}, {"path": "components/camel-aws/camel-aws2-s3/src/test/resources/empty-big.bin", "size_mb": 10.0}, {"path": "camel-sbom/camel-sbom.json", "size_mb": 8.6}, {"path": "camel-sbom/camel-sbom.xml", "size_mb": 8.0}], "included_files": 38410, "context_size_mb": 322.6, "correlation_key": "fp|b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 95300, "scanner": "repobility-agent-runtime", "fingerprint": "b0b6920a546fb6646687767856a0e4e09f4f39b0ae89699d5620dad32327ca6f", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b0b6920a546fb6646687767856a0e4e09f4f39b0ae89699d5620dad32327ca6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/vertx-websocket.json"}, "region": {"startLine": 4}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 95299, "scanner": "repobility-agent-runtime", "fingerprint": "d229906ce712a5a591c7b9f989df2b4c6edfea5f06d4f6180a8deff9c63c2357", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d229906ce712a5a591c7b9f989df2b4c6edfea5f06d4f6180a8deff9c63c2357"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/thrift.json"}, "region": {"startLine": 27}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 95298, "scanner": "repobility-agent-runtime", "fingerprint": "785cec4ff01172c70dc7016487a8355dead7073832a00a2cbf20c85d5c569778", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|785cec4ff01172c70dc7016487a8355dead7073832a00a2cbf20c85d5c569778"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/netty.json"}, "region": {"startLine": 35}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 95297, "scanner": "repobility-agent-runtime", "fingerprint": "4af4f00dfac19c13c9f4b4144ba4c8e364ebcad0b856f38a9d1c8eb9de3245a3", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4af4f00dfac19c13c9f4b4144ba4c8e364ebcad0b856f38a9d1c8eb9de3245a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/netty-http.json"}, "region": {"startLine": 36}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 95296, "scanner": "repobility-agent-runtime", "fingerprint": "a36a76d15ba613944a24cf5da9165c5f59b95186ac262d1c7f3ffbf2d26c698b", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a36a76d15ba613944a24cf5da9165c5f59b95186ac262d1c7f3ffbf2d26c698b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/mina.json"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 95295, "scanner": "repobility-agent-runtime", "fingerprint": "8c69f0fda6e50a2a62843141b552d1d9b692cce044f6be7d0d60431992e58d6c", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8c69f0fda6e50a2a62843141b552d1d9b692cce044f6be7d0d60431992e58d6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/grpc.json"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 95258, "scanner": "repobility-threat-engine", "fingerprint": "47739c415720f6701126454be4106ffdd70bbde9f4dd5c63ca49f83f415bea52", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|63|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-docker/src/main/java/org/apache/camel/component/docker/consumer/DockerStatsConsumer.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 95257, "scanner": "repobility-threat-engine", "fingerprint": "33e75629dabab20872d791b4f60c30fbe7fdf77c25aed4d63b0eac2cdca7d06e", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|73|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-docker/src/main/java/org/apache/camel/component/docker/consumer/DockerEventsConsumer.java"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC002", "level": "warning", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 95256, "scanner": "repobility-threat-engine", "fingerprint": "ec8232de8bad458fa7f36dccad4d82ac6978f601de7b1e74db56c31da3692470", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "evidence": {"match": "API_KEY = \"<redacted>\"", "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|7|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-cyberark-vault/src/main/java/org/apache/camel/component/cyberark/vault/CyberArkVaultPropertiesFunction.java"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 95248, "scanner": "repobility-threat-engine", "fingerprint": "4ad00a49352609d44058cf52b3fe3f8b2c74042092f2b8518206ee80e4800f1a", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-crypto-pgp/src/main/java/org/apache/camel/converter/crypto/PGPDataFormat.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 95247, "scanner": "repobility-threat-engine", "fingerprint": "eea015f8d03a2ae79c411be33ecb8725e4a7e5c54778adcc1b337e0c45bef6b1", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|3|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-amqp/src/main/java/org/apache/camel/component/amqp/AMQPConnectionDetails.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `jackson_format` has cognitive complexity 23 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, else=2, for=2, if=2, nested_bonus=13, ternary=2."}, "properties": {"repobilityId": 95221, "scanner": "repobility-threat-engine", "fingerprint": "3594efa636c39048edf61b2d32b2107628201b9c7136ccd6f4a0cb25ddec22ec", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 23 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "jackson_format", "breakdown": {"if": 2, "for": 2, "elif": 2, "else": 2, "ternary": 2, "nested_bonus": 13}, "complexity": 23, "correlation_key": "fp|3594efa636c39048edf61b2d32b2107628201b9c7136ccd6f4a0cb25ddec22ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/update-metadata-version.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "189a5c02b91febb05e99b23b556377c5b6b08b1991d135033fa772f76d57fdea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "components/camel-activemq/src/main/java/org/apache/camel/component/activemq/ActiveMQConfiguration.java", "duplicate_line": 10, "correlation_key": "fp|189a5c02b91febb05e99b23b556377c5b6b08b1991d135033fa772f76d57fdea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-activemq6/src/main/java/org/apache/camel/component/activemq6/ActiveMQConfiguration.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c7cbed450068d804809ece422201caf0cc5529fed033ffd6fd6acd8be88d8e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "components/camel-activemq/src/main/java/org/apache/camel/component/activemq/ActiveMQComponent.java", "duplicate_line": 22, "correlation_key": "fp|0c7cbed450068d804809ece422201caf0cc5529fed033ffd6fd6acd8be88d8e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-activemq6/src/main/java/org/apache/camel/component/activemq6/ActiveMQComponent.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f14a9369d604d1f96a7f0bd57c1d4e9089a51a6bbe8afbc864f4f1eb576dee2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/roaster/AnonymousMethodSource.java", "duplicate_line": 279, "correlation_key": "fp|6f14a9369d604d1f96a7f0bd57c1d4e9089a51a6bbe8afbc864f4f1eb576dee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/roaster/StatementFieldSource.java"}, "region": {"startLine": 170}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05fa1a177fa513abfe3f1bbe964d1498d828c406dde2a1fa1442464fed450e29", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestConfigurationDetails.java", "duplicate_line": 145, "correlation_key": "fp|05fa1a177fa513abfe3f1bbe964d1498d828c406dde2a1fa1442464fed450e29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestVerbDetails.java"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cce33fcdd014131acc31de5c090a4aa5d15cb7cdb0df76548a85eff69e39cb8a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestServiceDetails.java", "duplicate_line": 70, "correlation_key": "fp|cce33fcdd014131acc31de5c090a4aa5d15cb7cdb0df76548a85eff69e39cb8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestVerbDetails.java"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7eba04b6b6347d63d4896afd6b637481f350e53e04a9176864b76ac3264c5c5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/model/RouteCoverageNode.java", "duplicate_line": 9, "correlation_key": "fp|7eba04b6b6347d63d4896afd6b637481f350e53e04a9176864b76ac3264c5c5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestVerbDetails.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e169e3bfb23f5f9af1c42f2a92ad0e4f2523b0acb51c645cfa0791e09a8e672", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelNodeDetails.java", "duplicate_line": 81, "correlation_key": "fp|1e169e3bfb23f5f9af1c42f2a92ad0e4f2523b0acb51c645cfa0791e09a8e672"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestVerbDetails.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2dba397b9f510653168c611181a735ba155e76f398c8aa6c4854cb073f4cf190", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelEndpointDetails.java", "duplicate_line": 15, "correlation_key": "fp|2dba397b9f510653168c611181a735ba155e76f398c8aa6c4854cb073f4cf190"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestVerbDetails.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95286, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0acaba55c4b6a0abe074adc439cd11463a7229b0c8ca1cf333e8526ae9aa9c44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestConfigurationDetails.java", "duplicate_line": 145, "correlation_key": "fp|0acaba55c4b6a0abe074adc439cd11463a7229b0c8ca1cf333e8526ae9aa9c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestServiceDetails.java"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95285, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e0ea6241d00d2c2ddae812dd9a4377bc0d1c906eb34ebad624b96b77e91cce5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/model/RouteCoverageNode.java", "duplicate_line": 9, "correlation_key": "fp|1e0ea6241d00d2c2ddae812dd9a4377bc0d1c906eb34ebad624b96b77e91cce5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestServiceDetails.java"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95284, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40c37dacc9e34cf874ee95249219ad271c267f36e1f78021afd2844280d7fd6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelNodeDetails.java", "duplicate_line": 81, "correlation_key": "fp|40c37dacc9e34cf874ee95249219ad271c267f36e1f78021afd2844280d7fd6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestServiceDetails.java"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95283, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45fe696e4d4af50c6daf91dc14e8889b8d82520521003bd3b13ca8553c394a5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelEndpointDetails.java", "duplicate_line": 15, "correlation_key": "fp|45fe696e4d4af50c6daf91dc14e8889b8d82520521003bd3b13ca8553c394a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestServiceDetails.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95282, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70d4b86cf0fc189a7b9a4a661695ce79e431018f934e268757cbef28b87dc524", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/model/RouteCoverageNode.java", "duplicate_line": 9, "correlation_key": "fp|70d4b86cf0fc189a7b9a4a661695ce79e431018f934e268757cbef28b87dc524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestConfigurationDetails.java"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95281, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9996a504f8f7e200e08b352ff32a9eb3f395da64132295dfcbc7895d6a0c98a7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelEndpointDetails.java", "duplicate_line": 15, "correlation_key": "fp|9996a504f8f7e200e08b352ff32a9eb3f395da64132295dfcbc7895d6a0c98a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestConfigurationDetails.java"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95280, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99387236e48034ed18978a08fab7a90a5c66fc45bb84e9128424dd17e0885ad3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelNodeDetails.java", "duplicate_line": 73, "correlation_key": "fp|99387236e48034ed18978a08fab7a90a5c66fc45bb84e9128424dd17e0885ad3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/RestConfigurationDetails.java"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95279, "scanner": "repobility-ai-code-hygiene", "fingerprint": "92cdc41394c4e854f866d8f33ec075ada630fa05a736e7a4e913b385ece3fc6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/model/RouteCoverageNode.java", "duplicate_line": 9, "correlation_key": "fp|92cdc41394c4e854f866d8f33ec075ada630fa05a736e7a4e913b385ece3fc6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/LanguageExpressionDetails.java"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95278, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5dd8f5e8c4480c4c2e3b44bca1ceaf274697ddfdb304588bf60ccd022cfbc855", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelEndpointDetails.java", "duplicate_line": 15, "correlation_key": "fp|5dd8f5e8c4480c4c2e3b44bca1ceaf274697ddfdb304588bf60ccd022cfbc855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/LanguageExpressionDetails.java"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95277, "scanner": "repobility-ai-code-hygiene", "fingerprint": "817238fa516fb2238aa93aca7a089f1f91ebb42c807597476d5deaf235e31afa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/model/RouteCoverageNode.java", "duplicate_line": 9, "correlation_key": "fp|817238fa516fb2238aa93aca7a089f1f91ebb42c807597476d5deaf235e31afa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelRouteDetails.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95276, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5eba50ba900478f7c159da00fdb315590f188cc40c03c1584bb421f58a98c36a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelEndpointDetails.java", "duplicate_line": 15, "correlation_key": "fp|5eba50ba900478f7c159da00fdb315590f188cc40c03c1584bb421f58a98c36a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelRouteDetails.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95275, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c2e61f38888d2930a889460e810eb1f7197fd71d5479bd7bd3453d4c9d062aca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/model/RouteCoverageNode.java", "duplicate_line": 9, "correlation_key": "fp|c2e61f38888d2930a889460e810eb1f7197fd71d5479bd7bd3453d4c9d062aca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelNodeDetails.java"}, "region": {"startLine": 98}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95274, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72adb5f60f8c6658e358ccff874c6228632a6f3bc7dcd9938ddf4008c8dd5614", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelEndpointDetails.java", "duplicate_line": 15, "correlation_key": "fp|72adb5f60f8c6658e358ccff874c6228632a6f3bc7dcd9938ddf4008c8dd5614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelNodeDetails.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70ff8a9ff621b7848a4304fb569fe6d13fd762d479267211eb5f9ed48a5b0bc1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/model/RouteCoverageNode.java", "duplicate_line": 9, "correlation_key": "fp|70ff8a9ff621b7848a4304fb569fe6d13fd762d479267211eb5f9ed48a5b0bc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/model/CamelEndpointDetails.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f5552c09cb1570df241c70fa5384ec2b99095b4adb0252c0ec5e3bda287be14", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/RouteCoverageMojo.java", "duplicate_line": 543, "correlation_key": "fp|1f5552c09cb1570df241c70fa5384ec2b99095b4adb0252c0ec5e3bda287be14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "33045bbf9f0f1fc7ae3a29e5e320724702a6aa77e82aa94c9abe603efdeac67c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/RouteBuilderParser.java", "duplicate_line": 324, "correlation_key": "fp|33045bbf9f0f1fc7ae3a29e5e320724702a6aa77e82aa94c9abe603efdeac67c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/ParserCommon.java"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95270, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22dd7e11d1b6897b10ff1931b900f958008deeacd01eda245f9a8b1d0b5839b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/CamelJavaParserHelper.java", "duplicate_line": 403, "correlation_key": "fp|22dd7e11d1b6897b10ff1931b900f958008deeacd01eda245f9a8b1d0b5839b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/CamelJavaTreeParserHelper.java"}, "region": {"startLine": 214}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "24a26ac5168f06628ac20e299f876cb1aad4ea3b3375f63617ecf1accba7f1cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/CamelJavaRestDslParserHelper.java", "duplicate_line": 418, "correlation_key": "fp|24a26ac5168f06628ac20e299f876cb1aad4ea3b3375f63617ecf1accba7f1cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/CamelJavaTreeParserHelper.java"}, "region": {"startLine": 198}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "900064e78d1a0bd941836e01a1df08b5d4fc10921922869a2c8ed9a10789ccfc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/CamelJavaParserHelper.java", "duplicate_line": 469, "correlation_key": "fp|900064e78d1a0bd941836e01a1df08b5d4fc10921922869a2c8ed9a10789ccfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/CamelJavaRestDslParserHelper.java"}, "region": {"startLine": 454}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "532f009ad3796ba0671eb41c5e122d5e150ee22463cce77e7b7e6f0ad7c63320", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/htmlxlsx/model/RouteStatistic.java", "duplicate_line": 17, "correlation_key": "fp|532f009ad3796ba0671eb41c5e122d5e150ee22463cce77e7b7e6f0ad7c63320"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/htmlxlsx/model/RouteTotalsStatistic.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db876f096960aabdf214313605416055972a27f8d8d606b2f88833ee50bb5c6a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/htmlxlsx/model/CamelContextRouteCoverage.java", "duplicate_line": 7, "correlation_key": "fp|db876f096960aabdf214313605416055972a27f8d8d606b2f88833ee50bb5c6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/htmlxlsx/model/EipAttribute.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 95265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c40e32574f49af010ea1a53af8bc3c80124b0f27dcb0db6b75c7d25583d38be8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/htmlxlsx/model/ChildEip.java", "duplicate_line": 14, "correlation_key": "fp|c40e32574f49af010ea1a53af8bc3c80124b0f27dcb0db6b75c7d25583d38be8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/htmlxlsx/model/EipAttribute.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 95264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88585a892345b459ecd0d37c38161f54d65d05893394faa0db28e8275ed109a3", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "coverage", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|88585a892345b459ecd0d37c38161f54d65d05893394faa0db28e8275ed109a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "coverage"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 95229, "scanner": "repobility-threat-engine", "fingerprint": "27d0f8d5b5fb9cc4ec15afbd1ecb831cc2e3bc3a6aeb05039322ad93281889ee", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\", exchangesTotal=\" + exchangesTotal +\n               \", index=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|27d0f8d5b5fb9cc4ec15afbd1ecb831cc2e3bc3a6aeb05039322ad93281889ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/htmlxlsx/model/EipAttribute.java"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 95228, "scanner": "repobility-threat-engine", "fingerprint": "da9404fb41fd5b9843d6591cf089b9f2b1fcadf2a6df9fa5b18677a5ae8f03be", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\", exchangesTotal=\" + exchangesTotal +\n               \", totalProcessingTime=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da9404fb41fd5b9843d6591cf089b9f2b1fcadf2a6df9fa5b18677a5ae8f03be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/htmlxlsx/model/CamelContextRouteCoverage.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 95227, "scanner": "repobility-threat-engine", "fingerprint": "0599b018bbbd5e0aa750f50c45a143ca57cd2d9d06246f6e3ffc4f9df5ffaa22", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Error parsing xml file \" + file + \" code due \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0599b018bbbd5e0aa750f50c45a143ca57cd2d9d06246f6e3ffc4f9df5ffaa22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-csimple-maven-plugin/src/main/java/org/apache/camel/maven/GenerateMojo.java"}, "region": {"startLine": 223}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `handle` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, if=3, nested_bonus=3, ternary=1."}, "properties": {"repobilityId": 95222, "scanner": "repobility-threat-engine", "fingerprint": "cf84d7f8e471bcc793ffd6394791a860512afc3f0676699b2623d8b1c9f87f13", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "handle", "breakdown": {"if": 3, "except": 1, "ternary": 1, "nested_bonus": 3}, "complexity": 8, "correlation_key": "fp|cf84d7f8e471bcc793ffd6394791a860512afc3f0676699b2623d8b1c9f87f13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ai/camel-huggingface/src/main/resources/org/apache/camel/component/huggingface/tasks/sentence_embeddings.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 95307, "scanner": "repobility-docker", "fingerprint": "6d15e4ee83919100fde837125cb2d64e570508ed4d081ee1d7bc492e4025dd22", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mirror.gcr.io/hivemq/hivemq-ce:$HIVEMQ_VERSION", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|6d15e4ee83919100fde837125cb2d64e570508ed4d081ee1d7bc492e4025dd22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-infra/camel-test-infra-hivemq/src/main/resources/org/apache/camel/test/infra/hivemq/services/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 95304, "scanner": "repobility-docker", "fingerprint": "43283f08123972aa689547e8ef046cd60ea8d7ec99e0ff437f6ff85657c822be", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$FROMIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|43283f08123972aa689547e8ef046cd60ea8d7ec99e0ff437f6ff85657c822be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-infra/camel-test-infra-cli/src/main/resources/org/apache/camel/test/infra/cli/services/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 95303, "scanner": "repobility-docker", "fingerprint": "de7f2810c6736d1058837bf43338a41a0ff63c3c6e68d996c66d6b02c3be5f39", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${container.base-image}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|de7f2810c6736d1058837bf43338a41a0ff63c3c6e68d996c66d6b02c3be5f39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dsl/camel-jbang/camel-launcher-container/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 95261, "scanner": "repobility-threat-engine", "fingerprint": "c731739c550077a7171ceea6e0da993fb30e89cb502a86b2c4cc102045f3f361", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "Print(config.isPrettyPrint()", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|6|print config.isprettyprint"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-fhir/camel-fhir-component/src/main/java/org/apache/camel/component/fhir/internal/FhirHelper.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 95254, "scanner": "repobility-threat-engine", "fingerprint": "ae9dde3631709fa1c71624b6261696afdcf0dd03a25226a26f76dfc4712196dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ae9dde3631709fa1c71624b6261696afdcf0dd03a25226a26f76dfc4712196dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-box/camel-box-api/src/main/java/org/apache/camel/component/box/api/BoxCommentsManager.java"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 95253, "scanner": "repobility-threat-engine", "fingerprint": "3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "aggregated_count": 3}}}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 95249, "scanner": "repobility-threat-engine", "fingerprint": "82ea2fc1d3decdb32b747a07b3079adfb59f77b8f2f94223231300665b2c2712", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|82ea2fc1d3decdb32b747a07b3079adfb59f77b8f2f94223231300665b2c2712"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 95245, "scanner": "repobility-threat-engine", "fingerprint": "9482c3f263cf4ee9574c93ef4cfce44a19e99c70d44aceead87b2ef9efb8e4d4", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9482c3f263cf4ee9574c93ef4cfce44a19e99c70d44aceead87b2ef9efb8e4d4"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 95244, "scanner": "repobility-threat-engine", "fingerprint": "f3cd2d4b7229b16451340e1dfd0d89ad2e5c7ee7feda4b1cb76bb5ddff0b7458", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|52|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ai/camel-pgvector/src/main/java/org/apache/camel/component/pgvector/transform/PgVectorEmbeddingsDataTypeTransformer.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 95243, "scanner": "repobility-threat-engine", "fingerprint": "3719b63381d57f26715fa2a2032b0f6afccf54a87d64998ce6720f796ff37bb0", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|149|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ai/camel-pgvector/src/main/java/org/apache/camel/component/pgvector/PgVectorProducer.java"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 95242, "scanner": "repobility-threat-engine", "fingerprint": "8250a6bd3dd630bae9531be93fe78ac37a4b3ee6131d04e51cb76aa20b241a0a", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|41|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ai/camel-neo4j/src/main/java/org/apache/camel/component/neo4j/transformer/Neo4jEmbeddingDataTypeTransformer.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 95241, "scanner": "repobility-threat-engine", "fingerprint": "fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 95234, "scanner": "repobility-threat-engine", "fingerprint": "7f2d6d59cbe7894dfe3a7b339026aec55039f00ff23040a911eddbc37a7272a1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7f2d6d59cbe7894dfe3a7b339026aec55039f00ff23040a911eddbc37a7272a1", "aggregated_count": 10}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 95233, "scanner": "repobility-threat-engine", "fingerprint": "add4f0786456ba034358a447b6d5cc30e38e98700f95b9829a3716086ff8e1d1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|add4f0786456ba034358a447b6d5cc30e38e98700f95b9829a3716086ff8e1d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-bonita/src/main/java/org/apache/camel/component/bonita/api/util/BonitaAPIConfig.java"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 95232, "scanner": "repobility-threat-engine", "fingerprint": "4a325b51af2e12ca265f0936f8ca0a1361ed5a1f89e1498e8fb8c3f0cdcf77cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a325b51af2e12ca265f0936f8ca0a1361ed5a1f89e1498e8fb8c3f0cdcf77cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 95231, "scanner": "repobility-threat-engine", "fingerprint": "dc2a4c1409d5c4ab033d80f23d8daf5d0ee0af6cb43c510b22bb368c995679b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc2a4c1409d5c4ab033d80f23d8daf5d0ee0af6cb43c510b22bb368c995679b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/CamelXmlHelper.java"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 65 more): Same pattern found in 65 additional files. Review if needed."}, "properties": {"repobilityId": 95230, "scanner": "repobility-threat-engine", "fingerprint": "e3b80f6a00c28565aacfd9ca5f50254e1eb16ebb7adb11f4f9246836195a102b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 65 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 65 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e3b80f6a00c28565aacfd9ca5f50254e1eb16ebb7adb11f4f9246836195a102b"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "properties": {"repobilityId": 95226, "scanner": "repobility-threat-engine", "fingerprint": "70ef803f595fd5f715f0960557bb317a7dfeb8b65effa19fe68b288e9fe74314", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|70ef803f595fd5f715f0960557bb317a7dfeb8b65effa19fe68b288e9fe74314"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.mvn/wrapper/maven-wrapper.jar` is a .jar binary (63,093 bytes) committed to a repo that otherwise has 25292 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 95366, "scanner": "repobility-supply-chain", "fingerprint": "1f8e0ecd40aec7f9eb199d7e40e91864cda6e59a8a7d027667e0e2bbded765f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f8e0ecd40aec7f9eb199d7e40e91864cda6e59a8a7d027667e0e2bbded765f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".mvn/wrapper/maven-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `dsl/camel-jbang/camel-jbang-core/src/main/resources/maven-wrapper/maven-wrapper.jar` committed in source repo: `dsl/camel-jbang/camel-jbang-core/src/main/resources/maven-wrapper/maven-wrapper.jar` is a .jar binary (63,093 bytes) committed to a repo that otherwise has 25292 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 95365, "scanner": "repobility-supply-chain", "fingerprint": "42050dfff7818f7874e60a6dca56a88adf719a833ccd7427ea5f3a06254d093a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42050dfff7818f7874e60a6dca56a88adf719a833ccd7427ea5f3a06254d093a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dsl/camel-jbang/camel-jbang-core/src/main/resources/maven-wrapper/maven-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `components/camel-datasonnet/src/test/resources/dslibs.jar` committed in source repo: `components/camel-datasonnet/src/test/resources/dslibs.jar` is a .jar binary (786 bytes) committed to a repo that otherwise has 25292 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 95364, "scanner": "repobility-supply-chain", "fingerprint": "a79f43f274c02e398ba7a8177ce6f48be6ef54630bb1e915f8c7787007674e9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a79f43f274c02e398ba7a8177ce6f48be6ef54630bb1e915f8c7787007674e9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-datasonnet/src/test/resources/dslibs.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95363, "scanner": "repobility-supply-chain", "fingerprint": "f6f0ca2f21d920469299bfbce5f01f312e15644d09dfa8bb52880631d8fdd4a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6f0ca2f21d920469299bfbce5f01f312e15644d09dfa8bb52880631d8fdd4a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-labeler.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95362, "scanner": "repobility-supply-chain", "fingerprint": "4e93be8d56622b74302381ed4383f5f5e0d8032efde18f49254c456b1a3a7da3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e93be8d56622b74302381ed4383f5f5e0d8032efde18f49254c456b1a3a7da3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-labeler.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7.0.1`: `uses: actions/upload-artifact@v7.0.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95361, "scanner": "repobility-supply-chain", "fingerprint": "b0a5dd0266a47b4798f0b835bc83257f1b147b3eb08c06d1f983ff1b6ce8d61d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0a5dd0266a47b4798f0b835bc83257f1b147b3eb08c06d1f983ff1b6ce8d61d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-container-versions.yml"}, "region": {"startLine": 370}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95360, "scanner": "repobility-supply-chain", "fingerprint": "84784dd8497be263b97047eb857a8dca34d255bbf9a53918a67d74e8f9be0431", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84784dd8497be263b97047eb857a8dca34d255bbf9a53918a67d74e8f9be0431"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-container-versions.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95359, "scanner": "repobility-supply-chain", "fingerprint": "8ae5e1537b5b0e4677a59004dd7d847ac554a197c6529a2c90a0d6f5f8cb9d9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ae5e1537b5b0e4677a59004dd7d847ac554a197c6529a2c90a0d6f5f8cb9d9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-container-versions.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95358, "scanner": "repobility-supply-chain", "fingerprint": "61eff0561ed323da0cd45ff13fbfd37d72202d3a706d6b39bdf2a676dd90b46e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61eff0561ed323da0cd45ff13fbfd37d72202d3a706d6b39bdf2a676dd90b46e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-id.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95357, "scanner": "repobility-supply-chain", "fingerprint": "850fe1f6200919fdd47eb5b6fdfccb02980cdc7c515a2ffd5c9bfe55c7da2e3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|850fe1f6200919fdd47eb5b6fdfccb02980cdc7c515a2ffd5c9bfe55c7da2e3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sonar-scan.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95356, "scanner": "repobility-supply-chain", "fingerprint": "89ea52d4916c8df85d5ba5f696bef51a58af4ebe909fa34590a73e3741de6ca2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89ea52d4916c8df85d5ba5f696bef51a58af4ebe909fa34590a73e3741de6ca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sonar-scan.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95355, "scanner": "repobility-supply-chain", "fingerprint": "296dbc09f3a8ed4d2332bbe2e544ce7815abd536915a7f1dcefef92ef67bdff9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|296dbc09f3a8ed4d2332bbe2e544ce7815abd536915a7f1dcefef92ef67bdff9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sonar-scan.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95354, "scanner": "repobility-supply-chain", "fingerprint": "7ae7a8618e84655d3a95a0673c187a5de1fbc4f7e9f3f8953249f14eb2bdc15b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ae7a8618e84655d3a95a0673c187a5de1fbc4f7e9f3f8953249f14eb2bdc15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sonar-scan.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95353, "scanner": "repobility-supply-chain", "fingerprint": "a1156fbee3420570750e7f0905468df0bdb678ea9a4d29eededf1aa8c0632c47", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a1156fbee3420570750e7f0905468df0bdb678ea9a4d29eededf1aa8c0632c47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-commenter.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95352, "scanner": "repobility-supply-chain", "fingerprint": "46f7e83def6127c0f47e947c76c04e6d9e4646562e139b7efa4e28d4bf62c3a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46f7e83def6127c0f47e947c76c04e6d9e4646562e139b7efa4e28d4bf62c3a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-commenter.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95351, "scanner": "repobility-supply-chain", "fingerprint": "5e88643d28a7eb8ac88154be8088554ed70119ca2c3ffad7640a40598913cff6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e88643d28a7eb8ac88154be8088554ed70119ca2c3ffad7640a40598913cff6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-commenter.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7.0.1`: `uses: actions/upload-artifact@v7.0.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95350, "scanner": "repobility-supply-chain", "fingerprint": "bca0431f9194a9b3ac3aaf632e9203ec901265f070afc63737fdbb57023f3087", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bca0431f9194a9b3ac3aaf632e9203ec901265f070afc63737fdbb57023f3087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95349, "scanner": "repobility-supply-chain", "fingerprint": "a7045e076a800ce6900f9d0412d7a729d33868891f377dfc147fe3ccf8d9827a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7045e076a800ce6900f9d0412d7a729d33868891f377dfc147fe3ccf8d9827a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 95348, "scanner": "repobility-supply-chain", "fingerprint": "94b73f4e4d8b9f1b82722bad96540c9c74911265d431476417baa46222ee6c92", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94b73f4e4d8b9f1b82722bad96540c9c74911265d431476417baa46222ee6c92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mirror.gcr.io/fedora:43` not pinned by digest: `FROM mirror.gcr.io/fedora:43` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 95347, "scanner": "repobility-supply-chain", "fingerprint": "7e26ab352e5a091539574c7552db32b306eb54650110a6a963fa0efb0a78778b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e26ab352e5a091539574c7552db32b306eb54650110a6a963fa0efb0a78778b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-infra/camel-test-infra-smb/src/main/resources/org/apache/camel/test/infra/smb/services/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mirror.gcr.io/hivemq/hivemq-ce (no tag)` not pinned by digest: `FROM mirror.gcr.io/hivemq/hivemq-ce (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 95346, "scanner": "repobility-supply-chain", "fingerprint": "6aaae74035b4ec72ff78e73ede762014d58411bdb46707f49338b129cff82410", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6aaae74035b4ec72ff78e73ede762014d58411bdb46707f49338b129cff82410"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-infra/camel-test-infra-hivemq/src/main/resources/org/apache/camel/test/infra/hivemq/services/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi9/openjdk-21-runtime:1.24` not pinned by digest: `FROM registry.access.redhat.com/ubi9/openjdk-21-runtime:1.24` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 95345, "scanner": "repobility-supply-chain", "fingerprint": "a15355d39ede9712531fcea5c645222995d9aa5c30d0129ee7a6bf7101e8769d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a15355d39ede9712531fcea5c645222995d9aa5c30d0129ee7a6bf7101e8769d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dsl/camel-jbang/camel-jbang-core/src/main/resources/quarkus-docker/Dockerfile.jvm"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/quarkus/ubi9-quarkus-micro-image:2.0` not pinned by digest: `FROM quay.io/quarkus/ubi9-quarkus-micro-image:2.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 95344, "scanner": "repobility-supply-chain", "fingerprint": "e8325e39a26ea054406382fb19f7d4039f1b03fd110da9343dd2d16ba9dc86ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8325e39a26ea054406382fb19f7d4039f1b03fd110da9343dd2d16ba9dc86ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dsl/camel-jbang/camel-jbang-core/src/main/resources/quarkus-docker/Dockerfile.native-micro"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi9/ubi-minimal:9.7` not pinned by digest: `FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 95343, "scanner": "repobility-supply-chain", "fingerprint": "04bf4c5a9ce6ad0534bde48ce5da45a5c537b36e76b0c8189757f52ae544588d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04bf4c5a9ce6ad0534bde48ce5da45a5c537b36e76b0c8189757f52ae544588d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dsl/camel-jbang/camel-jbang-core/src/main/resources/quarkus-docker/Dockerfile.native"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:21-jdk` not pinned by digest: `FROM eclipse-temurin:21-jdk` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 95342, "scanner": "repobility-supply-chain", "fingerprint": "2b28bc46352df2fd5f34a968a31a7cf72dc8b3d0a01bfd02d553aedaf06e74c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b28bc46352df2fd5f34a968a31a7cf72dc8b3d0a01bfd02d553aedaf06e74c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dsl/camel-jbang/camel-jbang-container/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.check_image_versions` used but never assigned in __init__: Method `run_check` of class `ContainerVersionChecker` reads `self.check_image_versions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95338, "scanner": "repobility-ast-engine", "fingerprint": "158e392d13f6ca991e529e15a7b4944ade2ed64a5b92b4b36bac7a8e34ca518e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|158e392d13f6ca991e529e15a7b4944ade2ed64a5b92b4b36bac7a8e34ca518e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 966}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parse_properties_file` used but never assigned in __init__: Method `run_check` of class `ContainerVersionChecker` reads `self.parse_properties_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95337, "scanner": "repobility-ast-engine", "fingerprint": "04d9331f8dfe72c09a3f2c153f10adae2adc4a16bbb460862ae1d75c117f50c6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04d9331f8dfe72c09a3f2c153f10adae2adc4a16bbb460862ae1d75c117f50c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 949}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.find_container_properties_files` used but never assigned in __init__: Method `run_check` of class `ContainerVersionChecker` reads `self.find_container_properties_files`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95336, "scanner": "repobility-ast-engine", "fingerprint": "159bd6eec6cb00773eb1c76a719476987cb1bc3048c85abae01979f0a1f483de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|159bd6eec6cb00773eb1c76a719476987cb1bc3048c85abae01979f0a1f483de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 932}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_prerelease` used but never assigned in __init__: Method `check_image_versions` of class `ContainerVersionChecker` reads `self._is_prerelease`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95335, "scanner": "repobility-ast-engine", "fingerprint": "5b8ec0d71978e443ef998619e1f97d7dc82e827ad62c627f33a28526185b327a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b8ec0d71978e443ef998619e1f97d7dc82e827ad62c627f33a28526185b327a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 903}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parse_container_reference` used but never assigned in __init__: Method `parse_properties_file` of class `ContainerVersionChecker` reads `self.parse_container_reference`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95334, "scanner": "repobility-ast-engine", "fingerprint": "c0510a7540cfa4b049e9963e468adef50c34385f24d354addc2b25564cb5c0b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c0510a7540cfa4b049e9963e468adef50c34385f24d354addc2b25564cb5c0b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 773}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.timeout` used but never assigned in __init__: Method `get_available_versions` of class `MicrosoftRegistryAPI` reads `self.timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95333, "scanner": "repobility-ast-engine", "fingerprint": "09ccaba671ad98aa82a4ae12d4e48fb181aefa2baf2ccb898596ebced45dbba4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09ccaba671ad98aa82a4ae12d4e48fb181aefa2baf2ccb898596ebced45dbba4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 554}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.session` used but never assigned in __init__: Method `get_available_versions` of class `MicrosoftRegistryAPI` reads `self.session`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95332, "scanner": "repobility-ast-engine", "fingerprint": "22fc027578efbe5938632c68a9394ee035c4d5fa6917cd199688b9e052f6930a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22fc027578efbe5938632c68a9394ee035c4d5fa6917cd199688b9e052f6930a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 554}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.timeout` used but never assigned in __init__: Method `get_available_versions` of class `NVIDIARegistryAPI` reads `self.timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95331, "scanner": "repobility-ast-engine", "fingerprint": "d2d588b3f70dcd2e3805648bf9a5c265a6e819709030c74f01bcff3511abb055", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d2d588b3f70dcd2e3805648bf9a5c265a6e819709030c74f01bcff3511abb055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 524}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.session` used but never assigned in __init__: Method `get_available_versions` of class `NVIDIARegistryAPI` reads `self.session`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95330, "scanner": "repobility-ast-engine", "fingerprint": "d562e1fa8252d994464b8232af1a9d16382d87a9b7d57f5087e22388fb67301d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d562e1fa8252d994464b8232af1a9d16382d87a9b7d57f5087e22388fb67301d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 524}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.timeout` used but never assigned in __init__: Method `get_available_versions` of class `ElasticRegistryAPI` reads `self.timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95329, "scanner": "repobility-ast-engine", "fingerprint": "0d6d5045cc2cf1e1625ca3e1b9eefa4ea93a9e1918747ffd81ae736cf8e7a39e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0d6d5045cc2cf1e1625ca3e1b9eefa4ea93a9e1918747ffd81ae736cf8e7a39e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 494}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.session` used but never assigned in __init__: Method `get_available_versions` of class `ElasticRegistryAPI` reads `self.session`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95328, "scanner": "repobility-ast-engine", "fingerprint": "94ff5b9c2f8e1b080a088a41b002e1aaab6fce64f852066732f6d2f68018651c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|94ff5b9c2f8e1b080a088a41b002e1aaab6fce64f852066732f6d2f68018651c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 494}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.timeout` used but never assigned in __init__: Method `get_available_versions` of class `DockerV2RegistryAPI` reads `self.timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95327, "scanner": "repobility-ast-engine", "fingerprint": "14167deb1e1df39e180ce2502eabaa97499734942959c85dec6291d1f9bd8252", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|14167deb1e1df39e180ce2502eabaa97499734942959c85dec6291d1f9bd8252"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 464}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.session` used but never assigned in __init__: Method `get_available_versions` of class `DockerV2RegistryAPI` reads `self.session`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95326, "scanner": "repobility-ast-engine", "fingerprint": "134214dcec29e1538a980e41fddf6f71213df18070e0bb2aaff3a9950e0f5dae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|134214dcec29e1538a980e41fddf6f71213df18070e0bb2aaff3a9950e0f5dae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 464}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.timeout` used but never assigned in __init__: Method `get_available_versions` of class `GHCRAPI` reads `self.timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95325, "scanner": "repobility-ast-engine", "fingerprint": "e6f740076e3d9111931b68759b9e416dc113206434710c9de4a471b0b0722a22", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e6f740076e3d9111931b68759b9e416dc113206434710c9de4a471b0b0722a22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 430}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.session` used but never assigned in __init__: Method `get_available_versions` of class `GHCRAPI` reads `self.session`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95324, "scanner": "repobility-ast-engine", "fingerprint": "72e0c400d7ad96a111a239a7a4a5033f2897bc67cc8a93be582bb12b2ad291bc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|72e0c400d7ad96a111a239a7a4a5033f2897bc67cc8a93be582bb12b2ad291bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 430}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.timeout` used but never assigned in __init__: Method `get_available_versions` of class `GCRAPI` reads `self.timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95323, "scanner": "repobility-ast-engine", "fingerprint": "98c978b51ae986fcc96f151d1291bf5272d32ce9580fc57df0e32e1b295eadeb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98c978b51ae986fcc96f151d1291bf5272d32ce9580fc57df0e32e1b295eadeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 399}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.session` used but never assigned in __init__: Method `get_available_versions` of class `GCRAPI` reads `self.session`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95322, "scanner": "repobility-ast-engine", "fingerprint": "2c1d9974f1b3db9f9d9af055df6e1075d5345eb3572f7feb753265a6eef37ee3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c1d9974f1b3db9f9d9af055df6e1075d5345eb3572f7feb753265a6eef37ee3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 399}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.timeout` used but never assigned in __init__: Method `get_available_versions` of class `QuayAPI` reads `self.timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95321, "scanner": "repobility-ast-engine", "fingerprint": "eb6727e873f3f507a2d420049a7f1f1b59004fcbb326a9a24770faf503f9431b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb6727e873f3f507a2d420049a7f1f1b59004fcbb326a9a24770faf503f9431b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 358}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.session` used but never assigned in __init__: Method `get_available_versions` of class `QuayAPI` reads `self.session`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95320, "scanner": "repobility-ast-engine", "fingerprint": "d5e20482e0cdfa204e05b71794c20a298d2a8599a09edf520eaa27c65317cc6f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5e20482e0cdfa204e05b71794c20a298d2a8599a09edf520eaa27c65317cc6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 358}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.timeout` used but never assigned in __init__: Method `get_available_versions` of class `DockerHubAPI` reads `self.timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95319, "scanner": "repobility-ast-engine", "fingerprint": "5ce3ddd68affda28a678f569ecd127bdc48c9df9a69bb8481ac49b16c1e67cbe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5ce3ddd68affda28a678f569ecd127bdc48c9df9a69bb8481ac49b16c1e67cbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 320}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.session` used but never assigned in __init__: Method `get_available_versions` of class `DockerHubAPI` reads `self.session`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95318, "scanner": "repobility-ast-engine", "fingerprint": "49a3706c7c3f1c153f889ad9d557888f2cc7b6578f09fb1cd25b39ee3a836e52", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|49a3706c7c3f1c153f889ad9d557888f2cc7b6578f09fb1cd25b39ee3a836e52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 320}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._version_pattern` used but never assigned in __init__: Method `is_version_allowed` of class `ContainerImage` reads `self._version_pattern`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95317, "scanner": "repobility-ast-engine", "fingerprint": "e180f0762db897dcb484c7107a1be7022a338b2b32f7387e620a307823e47391", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e180f0762db897dcb484c7107a1be7022a338b2b32f7387e620a307823e47391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.full_name` used but never assigned in __init__: Method `full_image` of class `ContainerImage` reads `self.full_name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95316, "scanner": "repobility-ast-engine", "fingerprint": "2d58d6f481a74b8ad5a51bf54dbd6426635ad0ad8ac5cca76752015dafe316a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2d58d6f481a74b8ad5a51bf54dbd6426635ad0ad8ac5cca76752015dafe316a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._version_pattern` used but never assigned in __init__: Method `__post_init__` of class `ContainerImage` reads `self._version_pattern`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 95315, "scanner": "repobility-ast-engine", "fingerprint": "47aed429585b08181a2343c817564bff813bf7294a7d87ce1551a8382d80a232", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|47aed429585b08181a2343c817564bff813bf7294a7d87ce1551a8382d80a232"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-container-upgrade/check-container-versions.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 95308, "scanner": "repobility-docker", "fingerprint": "3ab621d7ca8329b1e349cdf23872d2f75a4dae36a1556a11bae62d9d4de5bdb6", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3ab621d7ca8329b1e349cdf23872d2f75a4dae36a1556a11bae62d9d4de5bdb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-infra/camel-test-infra-hivemq/src/main/resources/org/apache/camel/test/infra/hivemq/services/Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 95306, "scanner": "repobility-docker", "fingerprint": "36bc656b0977178aca790c10ddfe24fca98503bbc14a17daff60b3f0e7aca9df", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|36bc656b0977178aca790c10ddfe24fca98503bbc14a17daff60b3f0e7aca9df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-infra/camel-test-infra-cli/src/main/resources/org/apache/camel/test/infra/cli/services/Dockerfile"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKR004", "level": "error", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 95305, "scanner": "repobility-docker", "fingerprint": "e8c81221b867ca0749e01eb10b85e731e84c3b2c317fdf20be270e6531382b40", "category": "docker", "severity": "high", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "SSH_PASSWORD", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e8c81221b867ca0749e01eb10b85e731e84c3b2c317fdf20be270e6531382b40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-infra/camel-test-infra-cli/src/main/resources/org/apache/camel/test/infra/cli/services/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC111", "level": "error", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "properties": {"repobilityId": 95263, "scanner": "repobility-threat-engine", "fingerprint": "8d3f7dc1f0d35fddf09478db3e240e10a75d75d07608f6d268b92673d8c9f69f", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SafeString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d3f7dc1f0d35fddf09478db3e240e10a75d75d07608f6d268b92673d8c9f69f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-google/camel-google-mail/src/main/java/org/apache/camel/component/google/mail/transform/GoogleMailDraftDataTypeTransformer.java"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 95262, "scanner": "repobility-threat-engine", "fingerprint": "e95ec5307f5187ed23ad24a112c21c433a5812e6abda667690bd44194df15127", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "strictHostKeyChecking = \"no", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|43|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ftp/src/main/java/org/apache/camel/component/file/remote/SftpComponent.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 95260, "scanner": "repobility-threat-engine", "fingerprint": "328e032a77570bfdac2d71861447126b580ff39ed6fe67d669d78fd00cedf462", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(new", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|328e032a77570bfdac2d71861447126b580ff39ed6fe67d669d78fd00cedf462"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-docker/src/main/java/org/apache/camel/component/docker/consumer/DockerStatsConsumer.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 95259, "scanner": "repobility-threat-engine", "fingerprint": "a0635a1d84459c590378f49391c5c817b366cdf7b4d9950b850d515f98853b50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(new", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0635a1d84459c590378f49391c5c817b366cdf7b4d9950b850d515f98853b50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-docker/src/main/java/org/apache/camel/component/docker/consumer/DockerEventsConsumer.java"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 95252, "scanner": "repobility-threat-engine", "fingerprint": "b307ea9456300346c4f5ff1320764dc25ec0e75ae99470588bec9dfe41e5fcff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b307ea9456300346c4f5ff1320764dc25ec0e75ae99470588bec9dfe41e5fcff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-as2/camel-as2-api/src/main/java/org/apache/camel/component/as2/api/AS2SignatureAlgorithm.java"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 95251, "scanner": "repobility-threat-engine", "fingerprint": "cc251072ed80b1e05f010704a0ca3a94d4cb1371407a827209ed540407c7a898", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc251072ed80b1e05f010704a0ca3a94d4cb1371407a827209ed540407c7a898"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-as2/camel-as2-api/src/main/java/org/apache/camel/component/as2/api/AS2MicAlgorithm.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 95250, "scanner": "repobility-threat-engine", "fingerprint": "91d5498c32278a541a1b74780ef0a414ea8c6a917b88fb0244db3a3419ccb9ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91d5498c32278a541a1b74780ef0a414ea8c6a917b88fb0244db3a3419ccb9ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-as2/camel-as2-api/src/main/java/org/apache/camel/component/as2/api/AS2EncryptionAlgorithm.java"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 95240, "scanner": "repobility-threat-engine", "fingerprint": "174d5e821560bb931ec118f3ad952d4d533228a42c79b5a72acef47d84bfdb5d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "image.save(os, fileType);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|174d5e821560bb931ec118f3ad952d4d533228a42c79b5a72acef47d84bfdb5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-ai/camel-djl/src/main/java/org/apache/camel/component/djl/DJLConverter.java"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 95239, "scanner": "repobility-threat-engine", "fingerprint": "c5534a8392367e5517b69b583235a2b419f4f9b9a0ef9989ef073bb2d8b22441", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "s.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c5534a8392367e5517b69b583235a2b419f4f9b9a0ef9989ef073bb2d8b22441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-activemq6/src/main/java/org/apache/camel/component/activemq6/ActiveMQComponent.java"}, "region": {"startLine": 254}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 95238, "scanner": "repobility-threat-engine", "fingerprint": "3c47f69c110fef03db1fe34c23577196ec8d3ec9eaa22599505a3c2a33d93445", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "s.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3c47f69c110fef03db1fe34c23577196ec8d3ec9eaa22599505a3c2a33d93445"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-activemq/src/main/java/org/apache/camel/component/activemq/ActiveMQComponent.java"}, "region": {"startLine": 254}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 95237, "scanner": "repobility-threat-engine", "fingerprint": "61779754207bc3eb0c3abdda07ffed8cd44f54a174450f6bf8d2df3e8ea0f789", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61779754207bc3eb0c3abdda07ffed8cd44f54a174450f6bf8d2df3e8ea0f789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 95236, "scanner": "repobility-threat-engine", "fingerprint": "4c0cbb1943c0cb69f68b885f62eec323503c51b216b94f22be8456abc1a6e977", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c0cbb1943c0cb69f68b885f62eec323503c51b216b94f22be8456abc1a6e977"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 95235, "scanner": "repobility-threat-engine", "fingerprint": "14d88fb049ca55b3654828c9bf47ef416d977c8f38cc153d6359e7da5cdbbe5f", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|14d88fb049ca55b3654828c9bf47ef416d977c8f38cc153d6359e7da5cdbbe5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 95225, "scanner": "repobility-threat-engine", "fingerprint": "a2ce4b2c4a537c6cca4004d0d75dd89f345fd7eee5720ca8b844684ed36eb849", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(U", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a2ce4b2c4a537c6cca4004d0d75dd89f345fd7eee5720ca8b844684ed36eb849"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-catalog-maven/src/main/java/org/apache/camel/catalog/maven/OpenURLClassLoader.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 95224, "scanner": "repobility-threat-engine", "fingerprint": "5447ebefc01f27334fe6e9898b50a230222cf8fbc6c47ae22185c034fe81fe56", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5447ebefc01f27334fe6e9898b50a230222cf8fbc6c47ae22185c034fe81fe56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-catalog-maven/src/main/java/org/apache/camel/catalog/maven/MavenVersionManager.java"}, "region": {"startLine": 211}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 95223, "scanner": "repobility-threat-engine", "fingerprint": "22568fe56434a96e813b82b29bd8dca7b39a27cd01f0b0be23724bf0405a7864", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22568fe56434a96e813b82b29bd8dca7b39a27cd01f0b0be23724bf0405a7864"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "catalog/camel-catalog-maven/src/main/java/org/apache/camel/catalog/maven/DefaultMavenArtifactProvider.java"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 95255, "scanner": "repobility-threat-engine", "fingerprint": "5d900012af58b9e870ff661a0e2bc86071c520822ab3edd68f8d3d7ade40a550", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(int", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d900012af58b9e870ff661a0e2bc86071c520822ab3edd68f8d3d7ade40a550"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-cxf/camel-cxf-common/src/main/java/org/apache/camel/component/cxf/converter/DelegatingXMLStreamReader.java"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 95246, "scanner": "repobility-threat-engine", "fingerprint": "84b2807094ed7de20c528f575c387af80d68f4af063b2f3c375a3f501044f25a", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.2 bits) \u2014 likely real secret", "evidence": {"match": "Password=\"<redacted> == null ? \"", "reason": "High entropy value (4.2 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|12|password redacted null"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/camel-amqp/src/main/java/org/apache/camel/component/amqp/AMQPComponent.java"}, "region": {"startLine": 121}}}]}]}]}