{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Keeping live database files under the repository/build context can leak data into Docker builds, slow context loading, and make accidental commits more likely."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `process_documents` has cognitive complexity 9 (SonarSource scale). Cognit", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `process_documents` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recurs"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `sw360` image is selected through a build variable", "shortDescription": {"text": "Compose service `sw360` image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED077] Python Open No Context (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC001] Hardcoded Password (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.", "shortDescription": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 1 more): Same pattern found in 1 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 20 more): Same pattern found in 20 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-7pwc-h2j2-rjgj", "name": "org.apache.thrift:libthrift: GHSA-7pwc-h2j2-rjgj", "shortDescription": {"text": "org.apache.thrift:libthrift: GHSA-7pwc-h2j2-rjgj"}, "fullDescription": {"text": "Apache Thrift has an Improper Validation of Certificate with Host Mismatch Vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `couchdb:3` unpinned", "shortDescription": {"text": "Workflow container/services image `couchdb:3` unpinned"}, "fullDescription": {"text": "`container/services image: couchdb:3` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "curl-auth-user", "name": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed re", "shortDescription": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "jwt", "name": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.", "shortDescription": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1057"}, "properties": {"repository": "eclipse-sw360/sw360", "repoUrl": "https://github.com/eclipse-sw360/sw360", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 103708, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 103701, "scanner": "repobility-docker", "fingerprint": "51882cb8e1819ada9864a6f324bf5f892e492bf64ea100470ccdb96ccca9d075", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./config/couchdb/sw360_setup.ini", "target": "/opt/couchdb/etc/local.d/sw360_setup.ini", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "couchdb", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|51882cb8e1819ada9864a6f324bf5f892e492bf64ea100470ccdb96ccca9d075"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 103697, "scanner": "repobility-docker", "fingerprint": "adc6973aeb32d1fee11d0d95e6e4b8bb28b31c0021ffcbabe558a04e8e8c4621", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "couchdb-nouveau", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|adc6973aeb32d1fee11d0d95e6e4b8bb28b31c0021ffcbabe558a04e8e8c4621"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 103692, "scanner": "repobility-docker", "fingerprint": "b63c52b97d365380d4fae1f6f03bf7ef16fa5b86e47b0bea326cd8607913a4b5", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "sw360", "dependency": "couchdb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b63c52b97d365380d4fae1f6f03bf7ef16fa5b86e47b0bea326cd8607913a4b5", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 103681, "scanner": "repobility-threat-engine", "fingerprint": "88c91fc5175949db86787be122c5f99cce81881823983f3b5c9b0a3f70021c14", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|52|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/exporters/src/main/java/org/eclipse/sw360/exporter/utils/ZipTools.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 103675, "scanner": "repobility-threat-engine", "fingerprint": "2844fb461b03c0701aae71c26b8b61484c01f4f7f6fac1b3edc0cde8282d1176", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "log.debug(\"Event Details\" + user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2844fb461b03c0701aae71c26b8b61484c01f4f7f6fac1b3edc0cde8282d1176"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "keycloak/event-listeners/src/main/java/org/eclipse/sw360/keycloak/event/listener/service/Sw360KeycloakUserEventService.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 103674, "scanner": "repobility-threat-engine", "fingerprint": "5ac6f43d2e7d9a88f224f7decfffaaa042042cbe74c19660b2ed09f8bb37229f", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "log.info(\"Email--->: \" + user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5ac6f43d2e7d9a88f224f7decfffaaa042042cbe74c19660b2ed09f8bb37229f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "keycloak/event-listeners/src/main/java/org/eclipse/sw360/keycloak/event/listener/service/Sw360KeycloakAdminEventService.java"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 103673, "scanner": "repobility-threat-engine", "fingerprint": "9244bb567a80894d7c7a09b7caca8349b8f2560e29fd1905aa0b48ee92ffe7cb", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOGGER.error(\"Could not add Project for user with email=[\" + user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9244bb567a80894d7c7a09b7caca8349b8f2560e29fd1905aa0b48ee92ffe7cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/wsimport/src/main/java/org/eclipse/sw360/wsimport/thrift/ThriftExchange.java"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 103640, "scanner": "repobility-ast-engine", "fingerprint": "a25b51444c7e84cf5364680846589eb87892123d7d94f92599a668020485b944", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a25b51444c7e84cf5364680846589eb87892123d7d94f92599a668020485b944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "third-party/keycloak-tf/export_clients.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 103639, "scanner": "repobility-ast-engine", "fingerprint": "b7dc0802cdb1aa8132acec451ef699d4f7023d3f05d1649a76b632838550e752", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b7dc0802cdb1aa8132acec451ef699d4f7023d3f05d1649a76b632838550e752"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/migrations/064_migrate_unified_mail_export_config_key.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 103638, "scanner": "repobility-ast-engine", "fingerprint": "3a52feb796c80b7657f13cee53ecb249e3f0504c0938e060824af9c5a52dd289", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a52feb796c80b7657f13cee53ecb249e3f0504c0938e060824af9c5a52dd289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/migrations/063_migrate_oauth_client_owner_email.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 103637, "scanner": "repobility-ast-engine", "fingerprint": "9b06281fd717dc17d1e8e0195086a38630fbc05d4ff8f614c62e21de086cb746", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b06281fd717dc17d1e8e0195086a38630fbc05d4ff8f614c62e21de086cb746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/migrations/062_update_packagIds_to_map.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 103636, "scanner": "repobility-ast-engine", "fingerprint": "d036ee5571bc60f94636cd2ccf884f47a9c6ab125558034123a04acecb020559", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d036ee5571bc60f94636cd2ccf884f47a9c6ab125558034123a04acecb020559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/migrations/053_remove_whitespace_component_name.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 103702, "scanner": "repobility-docker", "fingerprint": "aef32c243f5fb8159c5c41fce79ce562021d14b4ebe9bc565c11493b94ea7bc8", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "couchdb", "dependency": "couchdb-nouveau", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|aef32c243f5fb8159c5c41fce79ce562021d14b4ebe9bc565c11493b94ea7bc8", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 103699, "scanner": "repobility-docker", "fingerprint": "a80ff825e300296b62d3a465a5bc4710bc3ffd9dbafe7fbd9fc7d6d0019fdaee", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "couchdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a80ff825e300296b62d3a465a5bc4710bc3ffd9dbafe7fbd9fc7d6d0019fdaee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 103698, "scanner": "repobility-docker", "fingerprint": "e8658716560f0462f17ec53221b0b030412f6a8ddb5efc14457ca59a60a0125f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "couchdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e8658716560f0462f17ec53221b0b030412f6a8ddb5efc14457ca59a60a0125f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 103694, "scanner": "repobility-docker", "fingerprint": "a267924ceafbaf2bbc059847b3c26a81871be68280b13ba6f619da846317f1b7", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "couchdb-nouveau", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a267924ceafbaf2bbc059847b3c26a81871be68280b13ba6f619da846317f1b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 103693, "scanner": "repobility-docker", "fingerprint": "49acca0cb45f4eab0ee2ca17bcbe685c08774bc6a02a32559ba5f8b7ce171305", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "couchdb-nouveau", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|49acca0cb45f4eab0ee2ca17bcbe685c08774bc6a02a32559ba5f8b7ce171305"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 103691, "scanner": "repobility-docker", "fingerprint": "18a61a8bb26a804e6cfef632759613a058e74ef8760b42ed7a6677488ec59a53", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "sw360", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|18a61a8bb26a804e6cfef632759613a058e74ef8760b42ed7a6677488ec59a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 103690, "scanner": "repobility-docker", "fingerprint": "03e5d8c2a7fe21ade1bf86a19656116972cd4843a012090469a7079cb8850427", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "sw360", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|03e5d8c2a7fe21ade1bf86a19656116972cd4843a012090469a7079cb8850427"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 103688, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 103687, "scanner": "repobility-docker", "fingerprint": "131a017a756da92f4d69bc3294133725be422d0eddcc56ed3a9e3c661fa2195e", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|131a017a756da92f4d69bc3294133725be422d0eddcc56ed3a9e3c661fa2195e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `process_documents` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, for=1, if=3, nested_bonus=3."}, "properties": {"repobilityId": 103686, "scanner": "repobility-threat-engine", "fingerprint": "fb1e130d601a681cdbae2c2296a634bf3828aff15b361d664160b48331aee6ed", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "process_documents", "breakdown": {"if": 3, "for": 1, "continue": 2, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|fb1e130d601a681cdbae2c2296a634bf3828aff15b361d664160b48331aee6ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "third-party/keycloak-tf/export_clients.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 103652, "scanner": "repobility-threat-engine", "fingerprint": "40a541bf49e058fbbcbb01e7c9a52839c39c5e13f3b9fb45b61c836caffb9546", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"function(doc) {\" +\n                OBJ_ARRAY_TO_STRING_INDEX +\n                \"    if(!doc.type ||", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|40a541bf49e058fbbcbb01e7c9a52839c39c5e13f3b9fb45b61c836caffb9546"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/ModerationSearchHandler.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 103651, "scanner": "repobility-threat-engine", "fingerprint": "53550cf23bec92016cb55e1c5a7b3d644f6d0cfc4e0e7cb975303f1a852dbe13", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" configuration objects in the couch db for type \" + configFor\n                            + \" while", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53550cf23bec92016cb55e1c5a7b3d644f6d0cfc4e0e7cb975303f1a852dbe13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/ConfigContainerRepository.java"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 103650, "scanner": "repobility-threat-engine", "fingerprint": "7aa7acb37a096699ae10dfa73b53234f5f4548d81c435e3a644b3fae200e3ff0", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"function(doc) {\" +\n                OBJ_ARRAY_TO_STRING_INDEX +\n                \"    if(!doc.type ||", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7aa7acb37a096699ae10dfa73b53234f5f4548d81c435e3a644b3fae200e3ff0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/ComponentSearchHandler.java"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103635, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fbf706f0a8e01bbf15bd3c2f14dbd181e2381d56d57686798ba9922155bab8c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/exporters/src/main/java/org/eclipse/sw360/exporter/helper/ComponentHelper.java", "duplicate_line": 17, "correlation_key": "fp|3fbf706f0a8e01bbf15bd3c2f14dbd181e2381d56d57686798ba9922155bab8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/exporters/src/main/java/org/eclipse/sw360/exporter/helper/ProjectHelper.java"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103634, "scanner": "repobility-ai-code-hygiene", "fingerprint": "437bb827b7f31c01f48e78febf11a172889f0dce5ff8150bd93b42775b22b66e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ReleasePermissions.java", "duplicate_line": 52, "correlation_key": "fp|437bb827b7f31c01f48e78febf11a172889f0dce5ff8150bd93b42775b22b66e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/VulnerabilityPermissions.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103633, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cdac529ff6a68b009885d03f079d047eab9a6342b65e828934e669d611b9ef5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/VendorPermissions.java", "duplicate_line": 18, "correlation_key": "fp|5cdac529ff6a68b009885d03f079d047eab9a6342b65e828934e669d611b9ef5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/VulnerabilityPermissions.java"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103632, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f00851c26a1265b4e95a0b018712aa584d6c9dc49d42f0e257622b0455b7e33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ReleasePermissions.java", "duplicate_line": 52, "correlation_key": "fp|4f00851c26a1265b4e95a0b018712aa584d6c9dc49d42f0e257622b0455b7e33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/VendorPermissions.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103631, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94e2d26f839aedcc5ec06c6e8f42e0efa7ad518d171391a28a0f240a9c9b8783", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/LicensePermissions.java", "duplicate_line": 26, "correlation_key": "fp|94e2d26f839aedcc5ec06c6e8f42e0efa7ad518d171391a28a0f240a9c9b8783"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/UserPermissions.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103630, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99ef6f8dcaf1cb81eaf0c2e61e90cbf4bf5e4262c43dea10b954bee78ef93fe7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ComponentPermissions.java", "duplicate_line": 94, "correlation_key": "fp|99ef6f8dcaf1cb81eaf0c2e61e90cbf4bf5e4262c43dea10b954bee78ef93fe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/SpdxPackageInfoPermissions.java"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103629, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e12d915416d45a58bdcebf9d4a23ddcb3b32b2a4ca3090075514754594c9f61", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/SpdxDocumentCreationInfoPermissions.java", "duplicate_line": 22, "correlation_key": "fp|8e12d915416d45a58bdcebf9d4a23ddcb3b32b2a4ca3090075514754594c9f61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/SpdxPackageInfoPermissions.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103628, "scanner": "repobility-ai-code-hygiene", "fingerprint": "399f5a3a1fcb40b3159186cf59cf604568045daceba6f9aa15ff3b26c76b2172", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ComponentPermissions.java", "duplicate_line": 94, "correlation_key": "fp|399f5a3a1fcb40b3159186cf59cf604568045daceba6f9aa15ff3b26c76b2172"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/SpdxDocumentPermissions.java"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103627, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5f543d02f4441d8db7cc23aac9963e3a1a1ae66d5e50d6957ecce15c53f779e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/SpdxDocumentCreationInfoPermissions.java", "duplicate_line": 21, "correlation_key": "fp|a5f543d02f4441d8db7cc23aac9963e3a1a1ae66d5e50d6957ecce15c53f779e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/SpdxDocumentPermissions.java"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103626, "scanner": "repobility-ai-code-hygiene", "fingerprint": "775ffa75bb46376554ae16b933d797c3faa6bc08f684e4d7cc627be88ef7ba3c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ComponentPermissions.java", "duplicate_line": 94, "correlation_key": "fp|775ffa75bb46376554ae16b933d797c3faa6bc08f684e4d7cc627be88ef7ba3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/SpdxDocumentCreationInfoPermissions.java"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103625, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b01d5213d1ebe3f577240787a3695efa5e3c55e7d91e41f4905e7f5b2220253", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ComponentPermissions.java", "duplicate_line": 98, "correlation_key": "fp|4b01d5213d1ebe3f577240787a3695efa5e3c55e7d91e41f4905e7f5b2220253"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ReleasePermissions.java"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103624, "scanner": "repobility-ai-code-hygiene", "fingerprint": "587b752ed4651d01df04e5c9a5f6781a851bd3e70d461fffed878d91ec8c7bdd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ProjectPermissions.java", "duplicate_line": 127, "correlation_key": "fp|587b752ed4651d01df04e5c9a5f6781a851bd3e70d461fffed878d91ec8c7bdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ReleasePermissions.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103623, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed206ac73b416e9a5e3e6a0bbc36754ab8cecabd9426b294ccb32572f179b8f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ComponentPermissions.java", "duplicate_line": 66, "correlation_key": "fp|ed206ac73b416e9a5e3e6a0bbc36754ab8cecabd9426b294ccb32572f179b8f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/permissions/ProjectPermissions.java"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103622, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b75c4ce796c85f22b63df929556c7469667f3a2af8246635318014b67b3d12b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/couchdb/DatabaseMixInForChangeLog.java", "duplicate_line": 299, "correlation_key": "fp|b75c4ce796c85f22b63df929556c7469667f3a2af8246635318014b67b3d12b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/couchdb/DatabaseMixInForSPDXDocument.java"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103621, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2505df615ce45f42f5f92d7647c54c479ba6a8f810c9882ec7d9bcfad5019a03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "keycloak/event-listeners/src/main/java/org/eclipse/sw360/keycloak/event/listener/service/Sw360KeycloakAdminEventService.java", "duplicate_line": 179, "correlation_key": "fp|2505df615ce45f42f5f92d7647c54c479ba6a8f810c9882ec7d9bcfad5019a03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "keycloak/event-listeners/src/main/java/org/eclipse/sw360/keycloak/event/listener/service/Sw360KeycloakUserEventService.java"}, "region": {"startLine": 155}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103620, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12c74f90e5bec2de75ecb9e8efd803fc8e8fbf442b4824e62b1e15bc836508b2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/common/src/main/java/org/eclipse/sw360/datahandler/entitlement/SpdxDocumentModerator.java", "duplicate_line": 128, "correlation_key": "fp|12c74f90e5bec2de75ecb9e8efd803fc8e8fbf442b4824e62b1e15bc836508b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/entitlement/SpdxPackageInfoModerator.java"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103619, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd68bfeb34bd5b3e7946ab92fa8c195b36285c7cefcade649becc4f0d390118e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/spdx/documentcreationinfo/SpdxDocumentCreationInfoDatabaseHandler.java", "duplicate_line": 175, "correlation_key": "fp|cd68bfeb34bd5b3e7946ab92fa8c195b36285c7cefcade649becc4f0d390118e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/spdx/packageinfo/SpdxPackageInfoDatabaseHandler.java"}, "region": {"startLine": 244}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103618, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4a81b85eec0d7a36f6cf3f2555f33963a675b0d5f2d357f766860767291e556", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/spdx/document/SpdxDocumentDatabaseHandler.java", "duplicate_line": 236, "correlation_key": "fp|d4a81b85eec0d7a36f6cf3f2555f33963a675b0d5f2d357f766860767291e556"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/spdx/packageinfo/SpdxPackageInfoDatabaseHandler.java"}, "region": {"startLine": 243}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103617, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11ea9e7e35d258b3642e2ffdd1da8c71c27f82fcb1b79b11be853fe4e12dfb7e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/spdx/document/SpdxDocumentDatabaseHandler.java", "duplicate_line": 236, "correlation_key": "fp|11ea9e7e35d258b3642e2ffdd1da8c71c27f82fcb1b79b11be853fe4e12dfb7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/spdx/documentcreationinfo/SpdxDocumentCreationInfoDatabaseHandler.java"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103616, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8b8b112633c7f86c887a568e689b0cd1004b87ade048bf0e5fa0d99d724026e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/ComponentRepository.java", "duplicate_line": 86, "correlation_key": "fp|8b8b112633c7f86c887a568e689b0cd1004b87ade048bf0e5fa0d99d724026e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/ReleaseRepository.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 103615, "scanner": "repobility-ai-code-hygiene", "fingerprint": "67756520bdbad52fd2764c9a05da009f3b6e995a2259f6ac7238717b888d1d59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/ComponentRepository.java", "duplicate_line": 86, "correlation_key": "fp|67756520bdbad52fd2764c9a05da009f3b6e995a2259f6ac7238717b888d1d59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/ProjectRepository.java"}, "region": {"startLine": 210}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `sw360` image is selected through a build variable"}, "properties": {"repobilityId": 103689, "scanner": "repobility-docker", "fingerprint": "2ff551444d86a13c53c55d95925145b60bfeaeb24085fd5b327c16f81b4c9bda", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${SW360_IMAGE:-ghcr.io/eclipse-sw360/sw360}:${SW360_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2ff551444d86a13c53c55d95925145b60bfeaeb24085fd5b327c16f81b4c9bda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 103685, "scanner": "repobility-threat-engine", "fingerprint": "24cb949de0b3987330b23bb4f90e26bdc816ebe1ec34ae36e009f771500d6e3d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|24cb949de0b3987330b23bb4f90e26bdc816ebe1ec34ae36e009f771500d6e3d", "aggregated_count": 1}}}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 103684, "scanner": "repobility-threat-engine", "fingerprint": "cea7cfc02396bf0c244e8d504d8c880be7ed85189318bb5e7376fe77fca41080", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cea7cfc02396bf0c244e8d504d8c880be7ed85189318bb5e7376fe77fca41080"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utilities/003_update_project_field_value_couchdb_2_x.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 103683, "scanner": "repobility-threat-engine", "fingerprint": "7009adeec2e2ce0673fa50992a937b6d984841f2b197a662a48ca3c999e7cc00", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7009adeec2e2ce0673fa50992a937b6d984841f2b197a662a48ca3c999e7cc00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utilities/002_update_view.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 103682, "scanner": "repobility-threat-engine", "fingerprint": "10c56a69b399fd65cf2541ab9204b26dfe5ab3487ecb5dc520695f8d1910ffb1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10c56a69b399fd65cf2541ab9204b26dfe5ab3487ecb5dc520695f8d1910ffb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utilities/001_update_project_field_value_couchdb_1_x.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 103680, "scanner": "repobility-threat-engine", "fingerprint": "224bdaf44e007e0b9c892e9f51a6afadee49a837e1b72825485f31ff4e500147", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|224bdaf44e007e0b9c892e9f51a6afadee49a837e1b72825485f31ff4e500147"}}}, {"ruleId": "SEC034", "level": "none", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 103676, "scanner": "repobility-threat-engine", "fingerprint": "0c38f3359897d8fbb05222ca133c0d09a5b4d741ea471e5ee93549f3c0437c61", "category": "log_injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0c38f3359897d8fbb05222ca133c0d09a5b4d741ea471e5ee93549f3c0437c61"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 103672, "scanner": "repobility-threat-engine", "fingerprint": "999ffc94a1118ca33292ee6a51080713f0dbfc0c98c571c8ebc0f6459461ce2a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "LOGGER.info(\"projectName and token and id: \" + wsProject.getProjectName()", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|logger.info projectname and token and id: + wsproject.getprojectname"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/wsimport/src/main/java/org/eclipse/sw360/wsimport/thrift/ThriftUploader.java"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 103670, "scanner": "repobility-threat-engine", "fingerprint": "1adfff5b4f1ef02156e69fa383a95911049c9bce65cf92befc791b1a9ae4f274", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "LOGGER.error(\"Exception with \" + GET_PROJECT_VITALS + \" request to \" + tokenCredentials.getServerUrl", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|logger.error exception with + get_project_vitals + request to + token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/wsimport/src/main/java/org/eclipse/sw360/wsimport/rest/WsImportService.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 103669, "scanner": "repobility-threat-engine", "fingerprint": "331d59f562f24cac9f5458b288986980b44b7be06c2a3d68358c2d8878693536", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|331d59f562f24cac9f5458b288986980b44b7be06c2a3d68358c2d8878693536"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/datahandler/src/main/java/org/eclipse/sw360/datahandler/couchdb/AttachmentStreamConnector.java"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 103668, "scanner": "repobility-threat-engine", "fingerprint": "4c07587969961000925f541ad9e597e016560f5b61bf36dc1cff850286c38c20", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c07587969961000925f541ad9e597e016560f5b61bf36dc1cff850286c38c20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/schedule/src/main/java/org/eclipse/sw360/schedule/timer/ScheduleSyncTask.java"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 103667, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 103666, "scanner": "repobility-threat-engine", "fingerprint": "9f2a9aaadb82a1bd3df0fb054f6f44f2d2fc940245415a846f578ceca5901496", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f2a9aaadb82a1bd3df0fb054f6f44f2d2fc940245415a846f578ceca5901496"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/commonIO/src/main/java/org/eclipse/sw360/commonIO/SampleOptions.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 103665, "scanner": "repobility-threat-engine", "fingerprint": "8b33c18971b1ec24ebc634fa63c25ebb39f1bb9732faca8457169f2dc4944934", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b33c18971b1ec24ebc634fa63c25ebb39f1bb9732faca8457169f2dc4944934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/licenseinfo/src/main/java/org/eclipse/sw360/licenseinfo/parsers/SPDXParser.java"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 103664, "scanner": "repobility-threat-engine", "fingerprint": "f9be6d34d31593b010cdf4f305684a2b865184c232be7a8fc76edc275d0c9506", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9be6d34d31593b010cdf4f305684a2b865184c232be7a8fc76edc275d0c9506"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/licenseinfo/src/main/java/org/eclipse/sw360/licenseinfo/parsers/AbstractCLIParser.java"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 103661, "scanner": "repobility-threat-engine", "fingerprint": "dd5b64e6744e5f494f3eafb49441a01ab167cdd11743c3d4ade0f028db583ab9", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dd5b64e6744e5f494f3eafb49441a01ab167cdd11743c3d4ade0f028db583ab9"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 103660, "scanner": "repobility-threat-engine", "fingerprint": "a71b43d4cfcdbc32fe3d1edc889fef92bdd8b85926d0ce7c5a3afb60046b2e8e", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|112|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libraries/exporters/src/main/java/org/eclipse/sw360/exporter/ExcelExporter.java"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 103659, "scanner": "repobility-threat-engine", "fingerprint": "ce0f1fb31c4681273cdf18682275db16486e809accab8edbcc232789d1ac1cb6", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|30|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/schedule/src/main/java/org/eclipse/sw360/schedule/timer/SW360Task.java"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 103658, "scanner": "repobility-threat-engine", "fingerprint": "2adcb8b12d235cb054b35305d89962d631cdbfe96f27964e8706100ecc5c2a4f", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|207|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/licenseinfo/src/main/java/org/eclipse/sw360/licenseinfo/outputGenerators/DocxUtils.java"}, "region": {"startLine": 207}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 103657, "scanner": "repobility-threat-engine", "fingerprint": "43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 103653, "scanner": "repobility-threat-engine", "fingerprint": "79fcb2a807df393afac7b312b4748654961d945d4c2dc9d9eb6a2b11439b93c8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|79fcb2a807df393afac7b312b4748654961d945d4c2dc9d9eb6a2b11439b93c8"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 103649, "scanner": "repobility-threat-engine", "fingerprint": "3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "aggregated_count": 3}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 103645, "scanner": "repobility-threat-engine", "fingerprint": "ef397bd65ac490246b20d8bf8e03ba08b255c30c874c66e1da62101f89c81278", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ef397bd65ac490246b20d8bf8e03ba08b255c30c874c66e1da62101f89c81278"}}}, {"ruleId": "GHSA-7pwc-h2j2-rjgj", "level": "error", "message": {"text": "org.apache.thrift:libthrift: GHSA-7pwc-h2j2-rjgj"}, "properties": {"repobilityId": 103707, "scanner": "osv-scanner", "fingerprint": "d551af4c3e1d4abe5c09d56c166916553aac44216ee464e0619fa5ffe9c7df0e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-thrift-2026-43869", "CVE-2026-43869"], "package": "org.apache.thrift:libthrift", "rule_id": "GHSA-7pwc-h2j2-rjgj", "scanner": "osv-scanner", "correlation_key": "vuln|org.apache.thrift:libthrift|CVE-2026-43869|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-7pwc-h2j2-rjgj"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["259312aa98ac5d770e3e606d57e0b064cc680039c7f8f46ee613fdb48ccb03bb", "d551af4c3e1d4abe5c09d56c166916553aac44216ee464e0619fa5ffe9c7df0e", "e555ef1391c5c33e9f6df9efc01a6b3f64c13eba10fa987e984f6cabfa0fdcaa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "keycloak/sw360-keycloak-common/pom.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 103700, "scanner": "repobility-docker", "fingerprint": "23b402514533e3c0ae3232af6c61dd22390997d87593904343b344b61aacebcb", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5984:5984", "target": "5984", "host_ip": "", "published": "5984"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "couchdb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|23b402514533e3c0ae3232af6c61dd22390997d87593904343b344b61aacebcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 103696, "scanner": "repobility-docker", "fingerprint": "928c639d4f3e9ff8a9682068061f76a193f928386381bc87d307520c7b7b81a6", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "couchdb-nouveau", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|928c639d4f3e9ff8a9682068061f76a193f928386381bc87d307520c7b7b81a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 103695, "scanner": "repobility-docker", "fingerprint": "682d35d33655863d92fad26e307e5b437141ee70d7217dfc65f64cef1858f08c", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5987:5987", "target": "5987", "host_ip": "", "published": "5987"}, {"raw": "5988:5988", "target": "5988", "host_ip": "", "published": "5988"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "couchdb-nouveau", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|682d35d33655863d92fad26e307e5b437141ee70d7217dfc65f64cef1858f08c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 103671, "scanner": "repobility-threat-engine", "fingerprint": "268d51e229f1ef9c412603a6a00d4cac5563d4b7f22cfea3cea6c969adf5833f", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "LOGGER.info(\"Making REST call to {} with request: {} and token: <redacted>} and userKey: {}\", tokenCredential", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|4|logger.info making rest call to with request: and token: redacted and userkey: tokencredential"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/wsimport/src/main/java/org/eclipse/sw360/wsimport/rest/WsRestClient.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 103662, "scanner": "repobility-threat-engine", "fingerprint": "ad786da65df1799e5e947c4310de6e7bd356798f08ebb836c6d54234a1e96edb", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "XMLInputFactory.newFactory(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad786da65df1799e5e947c4310de6e7bd356798f08ebb836c6d54234a1e96edb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/licenseinfo/src/main/java/org/eclipse/sw360/licenseinfo/parsers/AbstractCLIParser.java"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 103656, "scanner": "repobility-threat-engine", "fingerprint": "33f3d9ef8992d945909d520570e94675ddfd0b6682764b3cc4a5d8bd5886ddc7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DatabaseInstanceTrackerCloudant.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|33f3d9ef8992d945909d520570e94675ddfd0b6682764b3cc4a5d8bd5886ddc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/service-core/src/main/java/org/eclipse/sw360/SW360ServiceContextListener.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 103655, "scanner": "repobility-threat-engine", "fingerprint": "13c59154d54577645e9bcb6cb375e48022ca47236c37b82a017afdc4c1472320", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "db.delete(request.documentId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|13c59154d54577645e9bcb6cb375e48022ca47236c37b82a017afdc4c1472320"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/moderation/src/main/java/org/eclipse/sw360/moderation/db/DocumentDatabaseHandler.java"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 103654, "scanner": "repobility-threat-engine", "fingerprint": "f73bcd3ba773d1a3578bbf2934c599e173c267ff05169b4cb033c7e5c3ff74c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "repository.update(current);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f73bcd3ba773d1a3578bbf2934c599e173c267ff05169b4cb033c7e5c3ff74c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/fossology/src/main/java/org/eclipse/sw360/fossology/config/FossologyRestConfig.java"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 103648, "scanner": "repobility-threat-engine", "fingerprint": "f00d0091f42778c1040bf5d52c3d82b738a0701e5a017f05afe9deee52738aa5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f00d0091f42778c1040bf5d52c3d82b738a0701e5a017f05afe9deee52738aa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/client/src/main/java/org/eclipse/sw360/clients/rest/resource/attachments/SW360SparseAttachment.java"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 103647, "scanner": "repobility-threat-engine", "fingerprint": "863808af4b40750ad3bf5d84980a0edc45dc3f52759d7e2dc0943e419f6e0c8e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|863808af4b40750ad3bf5d84980a0edc45dc3f52759d7e2dc0943e419f6e0c8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/fossology/src/main/java/org/eclipse/sw360/fossology/rest/model/FossologyV2Models.java"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 103646, "scanner": "repobility-threat-engine", "fingerprint": "f923cd6fd2a5a619677b71ae992e5b9950251eb662c1d66a7f15308430d479c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f923cd6fd2a5a619677b71ae992e5b9950251eb662c1d66a7f15308430d479c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/AttachmentRepository.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 103644, "scanner": "repobility-threat-engine", "fingerprint": "cfb6912b376e0d539e8a421e4a546cbcfeeb6ae54e26e5ec0647be721a285df0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cfb6912b376e0d539e8a421e4a546cbcfeeb6ae54e26e5ec0647be721a285df0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/licenses-core/src/main/java/org/eclipse/sw360/licenses/tools/ObligationConnector.java"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 103643, "scanner": "repobility-threat-engine", "fingerprint": "19e33b2026cd46b4af9c344e916fc2e4b0f453b39b45a4787882a0aaccf0f842", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|19e33b2026cd46b4af9c344e916fc2e4b0f453b39b45a4787882a0aaccf0f842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/datahandler/db/PackageRepository.java"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 103642, "scanner": "repobility-threat-engine", "fingerprint": "ecb79edd0e01b2ad23a0800172ca4f7f463b00e4010c2cbc178844779cf40c87", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ecb79edd0e01b2ad23a0800172ca4f7f463b00e4010c2cbc178844779cf40c87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/common/src/main/java/org/eclipse/sw360/common/utils/RepositoryURL.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `couchdb:3` unpinned"}, "properties": {"repobilityId": 103641, "scanner": "repobility-supply-chain", "fingerprint": "9ddd87aeb83b66801c28d58738f4d6a13e12e194eaa924e06f5c27063057ed7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ddd87aeb83b66801c28d58738f4d6a13e12e194eaa924e06f5c27063057ed7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build_and_test.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "curl-auth-user", "level": "error", "message": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 103706, "scanner": "gitleaks", "fingerprint": "9f1978e673612d16cb4e0e13015f62d413f4265fa0c94097df4a5523776ff9f7", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl\n    -X POST\n    --user REDACTED", "rule_id": "curl-auth-user", "scanner": "gitleaks", "detector": "curl-auth-user", "correlation_key": "secret|token|14|curl -x post --user redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rest/resource-server/src/docs/asciidoc/api-guide.adoc"}, "region": {"startLine": 142}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 103705, "scanner": "gitleaks", "fingerprint": "bc3f87344e41b248c9d39103dbdbb7f9fd892c158206eb61ae9194c2756942bd", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|16|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rest/resource-server/src/docs/asciidoc/api-guide.adoc"}, "region": {"startLine": 161}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 103704, "scanner": "gitleaks", "fingerprint": "de054395b5416e738889035f7fed12f91aaaa41a44ede877ead9cc22f4824b0a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "secret = <redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|secret redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/couchdb/sw360_setup.ini"}, "region": {"startLine": 9}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 103703, "scanner": "gitleaks", "fingerprint": "54b868ce6ffe428bfd9debf5aa0391fd77c6e06b6ca70b7c6556096f79fff20c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|6|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/fossology/src/test/java/org/eclipse/sw360/fossology/FossologyHandlerLocalhostIntegrationTest.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 103679, "scanner": "repobility-threat-engine", "fingerprint": "7b0a8a0b0e1fc8b9f352718d27ee9fc54a5712d523056a045eb27fa0fb984444", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "High entropy value (4.6 bits) \u2014 likely real secret | [R34 auto-suppress: test/fixture path]", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "High entropy value (4.6 bits) \u2014 likely real secret | [R34 auto-suppress: test/fixture path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/docker_test_build.sh"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 103678, "scanner": "repobility-threat-engine", "fingerprint": "cafe702ae65f07bb2558aa10c220c3fbd1dfeb8455d0095c60f2abf16c0a7284", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.5 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "High entropy value (4.5 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rest/authorization-server/tools/printKeyPair.sh"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 103677, "scanner": "repobility-threat-engine", "fingerprint": "2426c77f4675573e339d87461e66c934994d862f01f4dcf67e4e252454b84fbd", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.5 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "High entropy value (4.5 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|3|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rest/authorization-server/tools/generateJwtStore.sh"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 103663, "scanner": "repobility-threat-engine", "fingerprint": "b881c2e3bb346bf7eff8a171ae689e5597c3be2381701063f52373e532bef34c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(XMLStreamConstants", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b881c2e3bb346bf7eff8a171ae689e5597c3be2381701063f52373e532bef34c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/licenseinfo/src/main/java/org/eclipse/sw360/licenseinfo/parsers/AbstractCLIParser.java"}, "region": {"startLine": 127}}}]}]}]}