{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/projects/:project"}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC042", "name": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently s", "shortDescription": {"text": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odoo), but a future contributor can extend t"}, "fullDescription": {"text": "Use psycopg2.sql.SQL() + sql.Identifier() for identifiers:\n  from psycopg2 import sql\n  cr.execute(sql.SQL('UPDATE {} SET x=%s').format(sql.Identifier(table)), (value,))\nNever use f-string in cr.execute(). Values go through %s parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 15."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Prefer Compose secrets or your platform secret manager with *_FILE variables where the image supports them. Rotate only if a real value was committed."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED007", "name": "[MINED007] Sql String Concat (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED007] Sql String Concat (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC004] SQL Injection Risk (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use parameterized queries: cur.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC120", "name": "[SEC120] Hardcoded HMAC key or JWT signing secret: JWT/HMAC signing secret hardcoded in source. Anyone with source acces", "shortDescription": {"text": "[SEC120] Hardcoded HMAC key or JWT signing secret: JWT/HMAC signing secret hardcoded in source. Anyone with source access can forge tokens; secret leaks via git history."}, "fullDescription": {"text": "Load from environment variable or secret manager: `process.env.JWT_SECRET`, `os.environ['JWT_SECRET']`. Generate with `openssl rand -base64 64`. Rotate."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED014] Disabled Tls Verify (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 29 more): Same pattern found in 29 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 33 more): Same pattern found in 33 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 31 more): Same pattern found in 31 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 35 more): Same pattern found in 35 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 39 more): Same pattern found in 39 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 238 more): Same pattern found in 238 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 238 more): Same pattern found in 238 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 34 more): Same pattern found in 34 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 161 more): Same pattern found in 161 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 161 more): Same pattern found in 161 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 297 more): Same pattern found in 297 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 297 more): Same pattern found in 297 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images "}, "fullDescription": {"text": "Replace with: `FROM node:20-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express DELETE /api/projects/:projectId/files has no auth: Express route DELETE /api/projects/:projectId/file", "shortDescription": {"text": "[MINED113] Express DELETE /api/projects/:projectId/files has no auth: Express route DELETE /api/projects/:projectId/files declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticat"}, "fullDescription": {"text": "Add an auth middleware: app.delete('/api/projects/:projectId/files', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.handle_command` used but never assigned in __init__: Method `run` of class `BotWorker` reads `self.hand", "shortDescription": {"text": "[MINED108] `self.handle_command` used but never assigned in __init__: Method `run` of class `BotWorker` reads `self.handle_command`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the fi"}, "fullDescription": {"text": "Initialize `self.handle_command = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/projects/:projectId/nodes"}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED114", "name": "[MINED114] Admin endpoint without auth: POST /api/projects/:id/admin-ids/remove: Express route on /admin path (/api/proj", "shortDescription": {"text": "[MINED114] Admin endpoint without auth: POST /api/projects/:id/admin-ids/remove: Express route on /admin path (/api/projects/:id/admin-ids/remove) with no auth middleware."}, "fullDescription": {"text": "Add an auth middleware: app.post('/api/projects/:id/admin-ids/remove', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "critical", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC010", "name": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.", "shortDescription": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "fullDescription": {"text": "Remove immediately and rotate the token. Use environment variables."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/655"}, "properties": {"repository": "13145125121/BotTG", "repoUrl": "https://github.com/13145125121/BotTG.git", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44901, "scanner": "repobility-ast-engine", "fingerprint": "c238188e587a13d268cc0ea51834623b0031da3c83d20e5aa158a81efc5bc119", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c238188e587a13d268cc0ea51834623b0031da3c83d20e5aa158a81efc5bc119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44900, "scanner": "repobility-ast-engine", "fingerprint": "d314411ec3f97b281559f3c0b4c0fa1008a82745b538461344c191670800d357", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d314411ec3f97b281559f3c0b4c0fa1008a82745b538461344c191670800d357"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44889, "scanner": "repobility-ast-engine", "fingerprint": "5533973769570aaffe18caeecaba01f85b99b65aabbadae69f272a0f4e913a7f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5533973769570aaffe18caeecaba01f85b99b65aabbadae69f272a0f4e913a7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/bots/userbotAuth.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44888, "scanner": "repobility-ast-engine", "fingerprint": "a23161e397ec31bcee2ca3e33d2af2d508910cbf1007e2b2bb7211f7e40f1d25", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a23161e397ec31bcee2ca3e33d2af2d508910cbf1007e2b2bb7211f7e40f1d25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utils/update_bot_project_data.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44887, "scanner": "repobility-ast-engine", "fingerprint": "58874a8080b2087905d529ada56908bf064806eada9eb97c3a44096f962d5bb5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58874a8080b2087905d529ada56908bf064806eada9eb97c3a44096f962d5bb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utils/update_bot_project_data.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44886, "scanner": "repobility-ast-engine", "fingerprint": "0b23b63b4fae7003f01b23a3c9ec36de46c6260903f98b6de3849f0dd3b33e09", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b23b63b4fae7003f01b23a3c9ec36de46c6260903f98b6de3849f0dd3b33e09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_db_queries.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44885, "scanner": "repobility-ast-engine", "fingerprint": "9a00657d67ca9f6a941d51672db0be691de4cb69d81ce8e8ce2e9f4955ef2ef2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a00657d67ca9f6a941d51672db0be691de4cb69d81ce8e8ce2e9f4955ef2ef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_db_queries.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44884, "scanner": "repobility-ast-engine", "fingerprint": "32c4f54ab83a2051ef0b7e9c94b47f77546cdf0d791b95fb4f71104037fe84ec", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32c4f54ab83a2051ef0b7e9c94b47f77546cdf0d791b95fb4f71104037fe84ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_db_queries.py"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44883, "scanner": "repobility-ast-engine", "fingerprint": "414a6d7f6765c718a9d9dae9b5a87022313ed8abafc3cdce34a19011d12ef6ca", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|414a6d7f6765c718a9d9dae9b5a87022313ed8abafc3cdce34a19011d12ef6ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_db_queries.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44882, "scanner": "repobility-ast-engine", "fingerprint": "66c084fe6298fadfb8022219b27c83887b04215c6548ff984ea8e83aacc25389", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|66c084fe6298fadfb8022219b27c83887b04215c6548ff984ea8e83aacc25389"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_check_apis2.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44881, "scanner": "repobility-ast-engine", "fingerprint": "fe20255ea07ab3acfbc9751bccf7b3e5765bbc631ff850522e6cff8b1e6e630a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe20255ea07ab3acfbc9751bccf7b3e5765bbc631ff850522e6cff8b1e6e630a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/generate_tree_json.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44880, "scanner": "repobility-ast-engine", "fingerprint": "e341bc3afaacfde523a69a893c2df8a3630d07410d057a112b9a060c6f8a5e5e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e341bc3afaacfde523a69a893c2df8a3630d07410d057a112b9a060c6f8a5e5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/generate_tree_json.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 44879, "scanner": "repobility-ast-engine", "fingerprint": "e5541ca5dfa2417f60a88cd8c28a57d2f5a45af5b815b23cdfa815f55895fc18", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e5541ca5dfa2417f60a88cd8c28a57d2f5a45af5b815b23cdfa815f55895fc18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_check_db.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 44878, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 44877, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44869, "scanner": "repobility-journey-contract", "fingerprint": "27e19aa2f09f80dee73c3aa83843232646f04213ad00bc0fc0f7e0d7856b701e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/{param}/telegram-client/group-members/${selectedgroup", "correlation_key": "fp|27e19aa2f09f80dee73c3aa83843232646f04213ad00bc0fc0f7e0d7856b701e", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/groups/groups-panel.tsx"}, "region": {"startLine": 646}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44868, "scanner": "repobility-journey-contract", "fingerprint": "2b1fe1f556d312b8aa923d4173f9f8598b13abcf38490b9343f21e5e3f90b430", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/google-auth/start", "correlation_key": "fp|2b1fe1f556d312b8aa923d4173f9f8598b13abcf38490b9343f21e5e3f90b430", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/google-sheets/GoogleSheetsExportButton.tsx"}, "region": {"startLine": 171}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44867, "scanner": "repobility-journey-contract", "fingerprint": "1bc60b0038e2e2eddd1870a8ec715c489160fda7f6ea09aec956fa7d573f91ad", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/{param}/users/{param}/avatar{param}", "correlation_key": "fp|1bc60b0038e2e2eddd1870a8ec715c489160fda7f6ea09aec956fa7d573f91ad", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/database/user-details/components/PanelHeader.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44866, "scanner": "repobility-journey-contract", "fingerprint": "a57275e5b80e968558af574e9535a9927349ca8a7d7b1ec29bc25018724ecdc9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/{param}/users/messages", "correlation_key": "fp|a57275e5b80e968558af574e9535a9927349ca8a7d7b1ec29bc25018724ecdc9", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/database/user-database/hooks/mutations/use-send-message.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44865, "scanner": "repobility-journey-contract", "fingerprint": "ee88cfa20a38434d25ad1b37e15dfb86f808da81a49a66eb929b5e5e545bf1f0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/{param}/messages/{param}{param}", "correlation_key": "fp|ee88cfa20a38434d25ad1b37e15dfb86f808da81a49a66eb929b5e5e545bf1f0", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/database/dialog/hooks/use-edit-message.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44864, "scanner": "repobility-journey-contract", "fingerprint": "fc896262ddbae0fb36eaa3d9d233370eae95b67f707579dfb05a978213501111", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/{param}/messages/{param}{param}", "correlation_key": "fp|fc896262ddbae0fb36eaa3d9d233370eae95b67f707579dfb05a978213501111", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/database/dialog/hooks/use-delete-message.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44863, "scanner": "repobility-journey-contract", "fingerprint": "4b79e5d7ff56df8ff69eb7e24e8617798ddb12219ae315ee1a9cad631403a734", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/{param}/users/${user", "correlation_key": "fp|4b79e5d7ff56df8ff69eb7e24e8617798ddb12219ae315ee1a9cad631403a734", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/database/dialog/dialog-panel.tsx"}, "region": {"startLine": 102}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44862, "scanner": "repobility-journey-contract", "fingerprint": "08ae3f12e6f45a50e0e933dfcdadc73762743574fc264417a791871344e749ae", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/${projectids", "correlation_key": "fp|08ae3f12e6f45a50e0e933dfcdadc73762743574fc264417a791871344e749ae", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/code/panel/CodePanel.tsx"}, "region": {"startLine": 113}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44861, "scanner": "repobility-journey-contract", "fingerprint": "f2e7d833af3c6f5aa028a0f820b72d8c78a07d8719d4e7a2da14456788e5b010", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/{param}/tokens/first/env-variables", "correlation_key": "fp|f2e7d833af3c6f5aa028a0f820b72d8c78a07d8719d4e7a2da14456788e5b010", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/code/hooks/use-code-generator.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44860, "scanner": "repobility-journey-contract", "fingerprint": "c8b58e020256edffd440dc68c37e4e5f8cf622109c67ab8d9deef62399b554b7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/{param}/bot", "correlation_key": "fp|c8b58e020256edffd440dc68c37e4e5f8cf622109c67ab8d9deef62399b554b7", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/token/useTokenUpdate.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44859, "scanner": "repobility-journey-contract", "fingerprint": "5c981753af7ed314791f9e08c58319bbd600dc2d6029a6f76af4af92808797f0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/{param}/bot", "correlation_key": "fp|5c981753af7ed314791f9e08c58319bbd600dc2d6029a6f76af4af92808797f0", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/token/TokenDisplayEdit.tsx"}, "region": {"startLine": 59}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44858, "scanner": "repobility-journey-contract", "fingerprint": "6cc13bbb442bc2d48e426ae2424b06b4ebc053b9801e0c37f8305188aa706811", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/projects/bot/info", "correlation_key": "fp|6cc13bbb442bc2d48e426ae2424b06b4ebc053b9801e0c37f8305188aa706811", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/bot-control.tsx"}, "region": {"startLine": 279}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44857, "scanner": "repobility-journey-contract", "fingerprint": "cb062adafdd1e50fad8785faeb716f0165684bf50dd2e862dc6bfc4f7af64922", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/templates/category/custom", "correlation_key": "fp|cb062adafdd1e50fad8785faeb716f0165684bf50dd2e862dc6bfc4f7af64922", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/App.tsx"}, "region": {"startLine": 192}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44856, "scanner": "repobility-journey-contract", "fingerprint": "5f38b31a86c39285cbdedd63fda92c2db662279eadc90a89480619dcec2393e9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/templates/category/custom", "correlation_key": "fp|5f38b31a86c39285cbdedd63fda92c2db662279eadc90a89480619dcec2393e9", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/App.tsx"}, "region": {"startLine": 188}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 44855, "scanner": "repobility-journey-contract", "fingerprint": "204c5c2cb9eacffed79e903e008c64044fd1c215cc5a1ba13093f50874352ef8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/templates/category/custom", "correlation_key": "fp|204c5c2cb9eacffed79e903e008c64044fd1c215cc5a1ba13093f50874352ef8", "backend_endpoint_count": 249}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/App.tsx"}, "region": {"startLine": 187}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/projects/:projectId/tokens/:tokenId/logs."}, "properties": {"repobilityId": 44854, "scanner": "repobility-access-control", "fingerprint": "3f6841b1831094faa1f67b5d447bc499fc132089aa520e39e99f92101226f829", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/api/projects/:projectId/tokens/:tokenId/logs", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|42|auc009", "duplicate_count": 1, "identity_targets": ["unknown", "owner"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["3f6841b1831094faa1f67b5d447bc499fc132089aa520e39e99f92101226f829", "d0e8f710b0b157e81738f2e5752f74cb871a65b288dccb8a3816918688ab4d01"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/projects/:id/bot/restart-all."}, "properties": {"repobilityId": 44853, "scanner": "repobility-access-control", "fingerprint": "925af5bc620df985ddb9092f0978fd545da98b2b188d9a36840357d2ab25ce37", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/bot/restart-all", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|41|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/projects/:id/bot/restart."}, "properties": {"repobilityId": 44852, "scanner": "repobility-access-control", "fingerprint": "04483fcbf00aebd853d921755b6bac40d06ca37a9bea106a2db3aedb68e9dadc", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/bot/restart", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|40|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/projects/:id/bot/stop."}, "properties": {"repobilityId": 44851, "scanner": "repobility-access-control", "fingerprint": "3d4bac82763641977235162b41f9bd398868fcff5d4c4b49cfdc04cc6f385097", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/bot/stop", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|39|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/projects/:id/bot/start."}, "properties": {"repobilityId": 44850, "scanner": "repobility-access-control", "fingerprint": "6de2e98c2860b21746644963ff804571508c1b0d40c0e156de0e83d5f97f96d9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/bot/start", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|38|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/launch/:launchId/logs."}, "properties": {"repobilityId": 44849, "scanner": "repobility-access-control", "fingerprint": "8fac33204ebc8dd398bce56f033a99f5955a4f152cd1c5615a18deb65be3f139", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/launch/:launchId/logs", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|37|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/tokens/:tokenId/launch-history."}, "properties": {"repobilityId": 44848, "scanner": "repobility-access-control", "fingerprint": "3b1fc712060d68b58da4332c9ded30b078b15f601884ca12105deccc2d365f94", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/tokens/:tokenId/launch-history", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|36|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/bot/tokens/:tokenId/photo."}, "properties": {"repobilityId": 44847, "scanner": "repobility-access-control", "fingerprint": "7f3d12fd22cd6b68d357f0740e38eec12a56e802a6a9aaba9b8a3ff5129aff7d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/bot/tokens/:tokenId/photo", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|35|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/workers/stats."}, "properties": {"repobilityId": 44846, "scanner": "repobility-access-control", "fingerprint": "1760bf32250abf6fb8b3728b2d7373e79b4e7029ced64e6ef1f346def80ff791", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/workers/stats", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|32|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/projects/:projectId/bot/group-info/:groupId."}, "properties": {"repobilityId": 44845, "scanner": "repobility-access-control", "fingerprint": "3c46e5bb6c98b1f4f57347cc86896b39a0ad337104fa4009e5ffe597250201fc", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:projectId/bot/group-info/:groupId", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|201|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotIntegrationRoutes.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/projects/:projectId/bot/send-group-message."}, "properties": {"repobilityId": 44844, "scanner": "repobility-access-control", "fingerprint": "33b77027347b620c5a71d3b378eccc67da4509ec1ee78a51c81feb5bfff45c7a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:projectId/bot/send-group-message", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|200|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotIntegrationRoutes.ts"}, "region": {"startLine": 200}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/projects/:id/bot/short-description."}, "properties": {"repobilityId": 44843, "scanner": "repobility-access-control", "fingerprint": "ffba87b71b293ca458b9bf2b7adb9bc71545366220d64740780c5b786126704d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/bot/short-description", "method": "PUT", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|197|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotIntegrationRoutes.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/projects/:id/export-structure-to-google-sheets."}, "properties": {"repobilityId": 44842, "scanner": "repobility-access-control", "fingerprint": "3063c927ae0aedf5cb47a0cd5578b363ea81397b38c5ec243b42b91024092e82", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/export-structure-to-google-sheets", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|74|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/projects/:id/export-to-google-sheets."}, "properties": {"repobilityId": 44841, "scanner": "repobility-access-control", "fingerprint": "a7c69d4e4e154ad76021d71ec933ddd0ea084d49081dc72f41df342b3876f650", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/export-to-google-sheets", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|73|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/projects/:id/admin-ids/remove."}, "properties": {"repobilityId": 44840, "scanner": "repobility-access-control", "fingerprint": "331c27208f8e66857978caff0fa3d642662b835e5de62ccbea7b20c7c39b07e8", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/admin-ids/remove", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|70|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/projects/:id/admin-ids."}, "properties": {"repobilityId": 44839, "scanner": "repobility-access-control", "fingerprint": "1555de01948891a3a63df95355b243592d616d22f676b5287fb5e508b8f6c9a1", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/admin-ids", "method": "PUT", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|69|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/projects/:id/admin-ids."}, "properties": {"repobilityId": 44838, "scanner": "repobility-access-control", "fingerprint": "1903bd57e7ec8eafa1102a645e986ed4447eafb2edbb00bcf199f5456cf147b3", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/admin-ids", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|68|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/settings/comments-generation."}, "properties": {"repobilityId": 44837, "scanner": "repobility-access-control", "fingerprint": "7255c9b4ba45fb9cf908aa4c7bf3605be3d49f443bf073e40304d0917883d730", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/comments-generation", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|65|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /api/projects/:id/token."}, "properties": {"repobilityId": 44836, "scanner": "repobility-access-control", "fingerprint": "54666efc3d0eb266b1dbf9133bd1429bab8e36d23a3c9eedfb9ddc3a60d071d5", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/token", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|62|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 44825, "scanner": "repobility-access-control", "fingerprint": "9881722652e1d068ff5485a6a0d618275a227181f7279ad2d42371e839f498ab", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 249, "correlation_key": "fp|9881722652e1d068ff5485a6a0d618275a227181f7279ad2d42371e839f498ab", "auth_visible_percent": 14.5}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 44824, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 44817, "scanner": "repobility-docker", "fingerprint": "b98f6b151ac585eebca17f5d769b66cb6471a0448260fe91da3a0d2a01111c8b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b98f6b151ac585eebca17f5d769b66cb6471a0448260fe91da3a0d2a01111c8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 44816, "scanner": "repobility-docker", "fingerprint": "dd75da3d09ed883daa831ef8d2683f4d6ce9295f58b3a00601fb91a4a3d894ab", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|dd75da3d09ed883daa831ef8d2683f4d6ce9295f58b3a00601fb91a4a3d894ab", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 44815, "scanner": "repobility-agent-runtime", "fingerprint": "1bb48bbf5dc06bfd6856786b3e4f22627e08cfe83839393a4ec1503cb63e13fd", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|1bb48bbf5dc06bfd6856786b3e4f22627e08cfe83839393a4ec1503cb63e13fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/canvas/canvas/zoom-controls.tsx"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC042", "level": "warning", "message": {"text": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odoo), but a future contributor can extend the f-string to user input without noticing. CWE-89. Identifiers (table/column names) need a separate escaping path from values."}, "properties": {"repobilityId": 44814, "scanner": "repobility-threat-engine", "fingerprint": "dee3d479d77b892d96a2c529e197da9b992cfad77de89556317b41feacde5239", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cursor.execute(f\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC042", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|tools/inspect_db.py|25|sec042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/inspect_db.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 44813, "scanner": "repobility-threat-engine", "fingerprint": "7075b713c75b3c3ce86d2d7f14a9a37ff85de3c01b80a822a130992c10f090a3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7075b713c75b3c3ce86d2d7f14a9a37ff85de3c01b80a822a130992c10f090a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/generate_tree_json.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 44801, "scanner": "repobility-threat-engine", "fingerprint": "937372a9bf3f144abf564cd0af58d6127a1d072f764d795ec9c04a83a96d33e2", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CERT_NONE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|tools/_check_apis2.py|12|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_check_apis2.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 44776, "scanner": "repobility-threat-engine", "fingerprint": "0773da9bef3bc6f33628fd94587a4b36087d1b6a1a58c21adcfdc0dd1fea5468", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted>\"", "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fix_texts_encoding.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, for=3, if=4, nested_bonus=6."}, "properties": {"repobilityId": 44770, "scanner": "repobility-threat-engine", "fingerprint": "d26a1fc5a79d040f167a81a0751bd81b5d659945a257c522c94078ea6e4e11cf", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 15 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 4, "for": 3, "else": 2, "nested_bonus": 6}, "complexity": 15, "correlation_key": "fp|d26a1fc5a79d040f167a81a0751bd81b5d659945a257c522c94078ea6e4e11cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/add_reload_token_node.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 44754, "scanner": "repobility-threat-engine", "fingerprint": "c5cb0b6dea1941d00441b9a62ea6a11bd7bd5424284cb7dbc8cfcf4a7b820ec3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/find-unused-ts.mjs|45|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/find-unused-ts.mjs"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 44753, "scanner": "repobility-threat-engine", "fingerprint": "453c40fc2499009eb126bbcafd202ad9ef513fba672714bd2e5641817b7ea7e5", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|44|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/sidebar/parsePythonCodeToJson.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 44752, "scanner": "repobility-threat-engine", "fingerprint": "da22b83f45af09ebe812c3488b7a313e4448e58e49331f3da7d3712b22076a83", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|106|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/sidebar/hooks/useImportExport.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 44745, "scanner": "repobility-threat-engine", "fingerprint": "7adf765bfd3e16ff8d750b111130471fb5c8ff3c581f45640cc49de3fcbf8642", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random(),\n        key: item.key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7adf765bfd3e16ff8d750b111130471fb5c8ff3c581f45640cc49de3fcbf8642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/properties/components/common/key-value-editor.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 44739, "scanner": "repobility-threat-engine", "fingerprint": "b882dda713cc4aff66056b51d058fc7ab5c5620101195542cffa4199e2bd2831", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://my.telegram.org\" target=\"_blank\" className=\"underline\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|87|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/telegram-client/components/api-credentials-form.tsx"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 44738, "scanner": "repobility-threat-engine", "fingerprint": "41f009177f99cf708b56a6f374be2f01677e3fa6e20d0383fa8252d11584e718", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open('/api/auth/login', 'telegram_login', `width=${w},height=${h},left=${left},top=${top}`)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|147|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/header/hooks/use-telegram-login.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 44737, "scanner": "repobility-threat-engine", "fingerprint": "b596b8f2f96353d639e2bac80cdddb2a6be47b6a18e9d099cfdb8950551aaa22", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(authUrl, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|181|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/google-sheets/GoogleSheetsExportButton.tsx"}, "region": {"startLine": 181}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 44728, "scanner": "repobility-threat-engine", "fingerprint": "300eda77bddb87a4e943f8f70276cb96987b4aa649cddfa9c40b0010ded6f648", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|300eda77bddb87a4e943f8f70276cb96987b4aa649cddfa9c40b0010ded6f648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/redis/redisPlatformSubscriber.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 44727, "scanner": "repobility-threat-engine", "fingerprint": "4958fa524b8e873a4c56c958d98a5f9b9d29a947fbec0c0cd410ebf9f7348d96", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4958fa524b8e873a4c56c958d98a5f9b9d29a947fbec0c0cd410ebf9f7348d96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/redis/redisClient.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 44726, "scanner": "repobility-threat-engine", "fingerprint": "58f93c329f867f712ba969fd9d10ce4e2f1dff5537514106b4296827c7f68688", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|58f93c329f867f712ba969fd9d10ce4e2f1dff5537514106b4296827c7f68688"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/profile/use-admin-ids.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 44876, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 44875, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 44874, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 44873, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 44823, "scanner": "repobility-docker", "fingerprint": "d7842ec0b551a0d438b14e41f0b7f243cf70f637848c09382e667a295702f079", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "app", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|d7842ec0b551a0d438b14e41f0b7f243cf70f637848c09382e667a295702f079", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 44822, "scanner": "repobility-docker", "fingerprint": "47407930733d4a6d73aec7e2ea1a6714160d38fed5f45cd9304705b8ac2ad3f4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|47407930733d4a6d73aec7e2ea1a6714160d38fed5f45cd9304705b8ac2ad3f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 44821, "scanner": "repobility-docker", "fingerprint": "65f13681157f2621891920415a4dcb883146fd919f3f560c89d78571b22a985e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|65f13681157f2621891920415a4dcb883146fd919f3f560c89d78571b22a985e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 44820, "scanner": "repobility-docker", "fingerprint": "ced2fb1dfad0fc83880acd122b8539827fe9fea5aac75563476082b9743729c7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ced2fb1dfad0fc83880acd122b8539827fe9fea5aac75563476082b9743729c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 44819, "scanner": "repobility-docker", "fingerprint": "43c56b7792b74a741a8e5474c3f4a37260e0360e0d602d9f68818f6e31f7fe6e", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "db", "variables": ["POSTGRES_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|43c56b7792b74a741a8e5474c3f4a37260e0360e0d602d9f68818f6e31f7fe6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 44818, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 44775, "scanner": "repobility-threat-engine", "fingerprint": "07ae648aa4fbd63ff2a560d1d86e00ec04de60063cff5991446dd8d362b7f4b8", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'https://' + hostname + '/api/v2/connection?include_secrets=true&connector_names=github'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|07ae648aa4fbd63ff2a560d1d86e00ec04de60063cff5991446dd8d362b7f4b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/sync-github.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 44774, "scanner": "repobility-threat-engine", "fingerprint": "115fe819dd0eb2ce12dbc82b52ff6f6237b69a7ce9281664b54b0b93ba75473b", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'https://' + hostname + '/api/v2/connection?include_secrets=true&connector_names=github'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|115fe819dd0eb2ce12dbc82b52ff6f6237b69a7ce9281664b54b0b93ba75473b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/auto-push-github.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `run_checks` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=3, for=2, if=2, nested_bonus=6."}, "properties": {"repobilityId": 44772, "scanner": "repobility-threat-engine", "fingerprint": "ac7ad9856f03dc0c32ad23dc552eb6c9aabd3552b008f010d7ef1f454f2707b9", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run_checks", "breakdown": {"if": 2, "for": 2, "else": 1, "except": 3, "nested_bonus": 6}, "complexity": 14, "correlation_key": "fp|ac7ad9856f03dc0c32ad23dc552eb6c9aabd3552b008f010d7ef1f454f2707b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_db_queries.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 44742, "scanner": "repobility-threat-engine", "fingerprint": "80b340789ef07eeb5eb3125fb55601ce3474ddb926b0602e32060022f7f94d67", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|95|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/inline-rich/hooks/useEditorSync.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 44741, "scanner": "repobility-threat-engine", "fingerprint": "26b47a242f1def28e2282fc3fbc97b2121dbedb4495090c67c42f9342f43e4ef", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = p", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|133|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/inline-rich/hooks/useCodeLanguage.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 44812, "scanner": "repobility-threat-engine", "fingerprint": "dd38a5d9ceeffcf5c268dcb15a9e258c564dba5b2cbc61df357a7d423cdc163c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd38a5d9ceeffcf5c268dcb15a9e258c564dba5b2cbc61df357a7d423cdc163c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/generate_tree_json.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 44810, "scanner": "repobility-threat-engine", "fingerprint": "3c77593e8431ae941a727839cb8cc51390cd7c6c30355d6bfd968ecbf3fef6f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c77593e8431ae941a727839cb8cc51390cd7c6c30355d6bfd968ecbf3fef6f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/check_tables.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED007", "level": "none", "message": {"text": "[MINED007] Sql String Concat (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 44809, "scanner": "repobility-threat-engine", "fingerprint": "f7ac5533b34fe1b24f5c2b67920aa62a34f689903296710ead97bbaad90cf68b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f7ac5533b34fe1b24f5c2b67920aa62a34f689903296710ead97bbaad90cf68b", "aggregated_count": 5}}}, {"ruleId": "SEC004", "level": "none", "message": {"text": "[SEC004] SQL Injection Risk (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 44805, "scanner": "repobility-threat-engine", "fingerprint": "bca3706d45fe50915cec8719e2da398c3d47ebb352c52262d3b2baf7ee083e8b", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bca3706d45fe50915cec8719e2da398c3d47ebb352c52262d3b2baf7ee083e8b"}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 44800, "scanner": "repobility-threat-engine", "fingerprint": "e8bee766ae20b08e126b7ae9246ec582d485b307b2b782f6deac30cd9a323255", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e8bee766ae20b08e126b7ae9246ec582d485b307b2b782f6deac30cd9a323255", "aggregated_count": 7}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 44799, "scanner": "repobility-threat-engine", "fingerprint": "c40305766d649ed3b15137402934a07f8cabc6312de7cd1b4a6516e9a16f71a0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c40305766d649ed3b15137402934a07f8cabc6312de7cd1b4a6516e9a16f71a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_add_cryptoflow_159.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 44798, "scanner": "repobility-threat-engine", "fingerprint": "2da18118679a7e0a911f4d9a956c356047cecc364cadb367ef9c9cf36948854c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2da18118679a7e0a911f4d9a956c356047cecc364cadb367ef9c9cf36948854c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_add_crazybtc_159.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 44797, "scanner": "repobility-threat-engine", "fingerprint": "16f64303ea0b51cf7781e01b5253a7d04cda7958708d4f91d5704323174c7dbe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|16f64303ea0b51cf7781e01b5253a7d04cda7958708d4f91d5704323174c7dbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_add_casper_159.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 44796, "scanner": "repobility-threat-engine", "fingerprint": "783f30b41fae41089c790be3e91570e7803eccd01db5a0fbac463be81181f7c1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|783f30b41fae41089c790be3e91570e7803eccd01db5a0fbac463be81181f7c1"}}}, {"ruleId": "SEC120", "level": "none", "message": {"text": "[SEC120] Hardcoded HMAC key or JWT signing secret: JWT/HMAC signing secret hardcoded in source. Anyone with source access can forge tokens; secret leaks via git history."}, "properties": {"repobilityId": 44791, "scanner": "repobility-threat-engine", "fingerprint": "5ad87c6c979c9143c15c3bbc9c2796dc67e6ac656ceaa415b1b559d0564e8ab0", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Cryptographic handling (password hashing, not hardcoded)", "evidence": {"match": "createHmac('sha256', 'WebAppData')", "reason": "Cryptographic handling (password hashing, not hardcoded)", "rule_id": "SEC120", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|2|createhmac sha256 webappdata"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/auth/handlers/miniAppAuthHandler.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 44790, "scanner": "repobility-threat-engine", "fingerprint": "8d20e20d4f3ee06392d314c03dc2c38ac975b00ae6d60d1a07ba1c0ab52e9768", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '/(?:healthz?|metrics|robots\\.txt|sitemap\\.xml|webhooks?/)' detected on same line", "evidence": {"match": "app.post('/api/webhook/:projectId/:tokenId', async (req, res) => {", "reason": "Safe pattern '/(?:healthz?|metrics|robots\\.txt|sitemap\\.xml|webhooks?/)' detected on same line", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|8d20e20d4f3ee06392d314c03dc2c38ac975b00ae6d60d1a07ba1c0ab52e9768"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupWebhookRoutes.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 44784, "scanner": "repobility-threat-engine", "fingerprint": "99ea9ef1ce947029b0ceb1abeaddc7de82848ca99dd8b6ca727019bb4c1d16c0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|99ea9ef1ce947029b0ceb1abeaddc7de82848ca99dd8b6ca727019bb4c1d16c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utils/validate.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED014", "level": "none", "message": {"text": "[MINED014] Disabled Tls Verify (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 44782, "scanner": "repobility-threat-engine", "fingerprint": "e9b2617012f51a98fb8fb05dd43dadcdf5fcb1817a4bb90b8d57cffeba5d721b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e9b2617012f51a98fb8fb05dd43dadcdf5fcb1817a4bb90b8d57cffeba5d721b", "aggregated_count": 1}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 44773, "scanner": "repobility-threat-engine", "fingerprint": "660240acab6413a56e42e6433a0668db843fb8293390ee3b12cfbd5da595c736", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 4, "for": 3, "else": 2, "nested_bonus": 6}, "aggregated": true, "complexity": 15, "correlation_key": "fp|660240acab6413a56e42e6433a0668db843fb8293390ee3b12cfbd5da595c736", "aggregated_count": 29}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 44769, "scanner": "repobility-threat-engine", "fingerprint": "7c6ced73fc95877f85b046001bf927b30368e000636a29e1e6f769092db45fac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7c6ced73fc95877f85b046001bf927b30368e000636a29e1e6f769092db45fac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/ui/chart.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 44766, "scanner": "repobility-threat-engine", "fingerprint": "27212d4b18289731d159bdea7f156995d7037694ca8b2236bf733b71b9bc8335", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|27212d4b18289731d159bdea7f156995d7037694ca8b2236bf733b71b9bc8335", "aggregated_count": 29}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 44765, "scanner": "repobility-threat-engine", "fingerprint": "40aa793e5ecd0d5d2cdb5a857818ce927a3413f19d7523899d39ce4619948404", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|40aa793e5ecd0d5d2cdb5a857818ce927a3413f19d7523899d39ce4619948404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/auto-push-github.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 44764, "scanner": "repobility-threat-engine", "fingerprint": "4be8a41e8fa31f6e73c707c338652bb179ed03d3869c6b8015126180cb23e72b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4be8a41e8fa31f6e73c707c338652bb179ed03d3869c6b8015126180cb23e72b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/add_reload_token_node.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 44763, "scanner": "repobility-threat-engine", "fingerprint": "9d02b834631d8e5f9b610ea860ea2f41f2a98938b0ab54d0765b97c3b22d8eb0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d02b834631d8e5f9b610ea860ea2f41f2a98938b0ab54d0765b97c3b22d8eb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/terminal/use-terminal-websocket.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 44762, "scanner": "repobility-threat-engine", "fingerprint": "97acb72a8991dbffc493ab5ac0ffcaca0c61f828d54c879a732c9b0119a91775", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|97acb72a8991dbffc493ab5ac0ffcaca0c61f828d54c879a732c9b0119a91775"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 44758, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 44751, "scanner": "repobility-threat-engine", "fingerprint": "4775e7ef1cb664685ed69ec55a48b6586a838601e34ca43f1fa09999ec7f513c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4775e7ef1cb664685ed69ec55a48b6586a838601e34ca43f1fa09999ec7f513c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/properties/components/configuration/user-management-configuration.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC022", "level": "none", "message": {"text": "[SEC022] Database URL With Embedded Credential (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 44750, "scanner": "repobility-threat-engine", "fingerprint": "625144b0df71f25fd23563f8229d9721688e180c36dd6fd1ab074c254de646b7", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|625144b0df71f25fd23563f8229d9721688e180c36dd6fd1ab074c254de646b7"}}}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 44746, "scanner": "repobility-threat-engine", "fingerprint": "6a1114d55bdc828dfb4777a1dcd5887c72d962b68d09a7b225f7449616268b0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a1114d55bdc828dfb4777a1dcd5887c72d962b68d09a7b225f7449616268b0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/properties/components/configuration/http-curl-import.tsx"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 44740, "scanner": "repobility-threat-engine", "fingerprint": "445e143bfb9fa42d815d6c9ae398165a70589a79a844fb4f61e3e95a91105bbd", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|445e143bfb9fa42d815d6c9ae398165a70589a79a844fb4f61e3e95a91105bbd"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 44736, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 44735, "scanner": "repobility-threat-engine", "fingerprint": "c632ade03c0d71d3f4508af5c3eeae5a2e7314203eea9af795cb17a80fc0645e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c632ade03c0d71d3f4508af5c3eeae5a2e7314203eea9af795cb17a80fc0645e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/database/user-database/components/details/response-media.tsx"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 44734, "scanner": "repobility-threat-engine", "fingerprint": "7104a6c32170beeafc46010008e3523219025cd3294a14be3dd4c6c4dea925eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7104a6c32170beeafc46010008e3523219025cd3294a14be3dd4c6c4dea925eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/database/responses-table/components/response-row.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 44733, "scanner": "repobility-threat-engine", "fingerprint": "700407f13031a786f6d9b6131acdefc74c1be629df017a3fe1d469a1ed866f48", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|700407f13031a786f6d9b6131acdefc74c1be629df017a3fe1d469a1ed866f48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/database/responses-table/components/response-photo.tsx"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 44732, "scanner": "repobility-threat-engine", "fingerprint": "71fddcc370b2e8808253283f75ceceba2d4119bdff282f23d18d139433d3219c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|71fddcc370b2e8808253283f75ceceba2d4119bdff282f23d18d139433d3219c"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 44725, "scanner": "repobility-threat-engine", "fingerprint": "5e2766527e20fac411476d2b862dd1b322ae22e55a50062e6a0b3444674f119d", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5e2766527e20fac411476d2b862dd1b322ae22e55a50062e6a0b3444674f119d"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "properties": {"repobilityId": 44721, "scanner": "repobility-threat-engine", "fingerprint": "8f08cce82f541b4c6ade19d9d8efcccb9ef2133c55161b610f35b41b78bcb653", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8f08cce82f541b4c6ade19d9d8efcccb9ef2133c55161b610f35b41b78bcb653", "aggregated_count": 39}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 44720, "scanner": "repobility-threat-engine", "fingerprint": "6d2d1d12fe985b27718bf5a8500f1fac9a3c7282c3cc4f0dc8c7bbcbf2661e4e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d2d1d12fe985b27718bf5a8500f1fac9a3c7282c3cc4f0dc8c7bbcbf2661e4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/broadcast/wizard/step-confirm.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 44719, "scanner": "repobility-threat-engine", "fingerprint": "aa429ff5dca156b2a5db5913742a9a32ae4b579759623343f03d5034c3db4789", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa429ff5dca156b2a5db5913742a9a32ae4b579759623343f03d5034c3db4789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/contexts/ActiveTerminalsContext.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 44718, "scanner": "repobility-threat-engine", "fingerprint": "375155c4c51c591e81038366c1aeb0bf88d61b5c3afbdecbbe042e3c18417995", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|375155c4c51c591e81038366c1aeb0bf88d61b5c3afbdecbbe042e3c18417995"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/bot-control.tsx"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 238 more): Same pattern found in 238 additional files. Review if needed."}, "properties": {"repobilityId": 44717, "scanner": "repobility-threat-engine", "fingerprint": "b0db3b464bdfc8c1ddd460b3f80affecb2003e56798db188e6c6b3a2950a42af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 238 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b0db3b464bdfc8c1ddd460b3f80affecb2003e56798db188e6c6b3a2950a42af", "aggregated_count": 238}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 44716, "scanner": "repobility-threat-engine", "fingerprint": "645008b7e01ab7161f86e0af1cfefdddb25e6605e72da83044a36c79922cdb71", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|645008b7e01ab7161f86e0af1cfefdddb25e6605e72da83044a36c79922cdb71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/add-bot/AddBotTokenInput.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 44715, "scanner": "repobility-threat-engine", "fingerprint": "25657615c6fe1000613d5d8bce692098dbe3a80818682398e35545ddfa4858c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|25657615c6fe1000613d5d8bce692098dbe3a80818682398e35545ddfa4858c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/add-bot/AddBotDialogActions.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 44714, "scanner": "repobility-threat-engine", "fingerprint": "7851d1d55656d7849713d72db8ebffd08e26cd95da0c65df34b30e576be381b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7851d1d55656d7849713d72db8ebffd08e26cd95da0c65df34b30e576be381b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/add-bot/AddBotDialog.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 44713, "scanner": "repobility-threat-engine", "fingerprint": "a23da6d11bcf06dd5de3a0ff35e27e056d6b23fc28e3b9f342d415526d223a78", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a23da6d11bcf06dd5de3a0ff35e27e056d6b23fc28e3b9f342d415526d223a78", "aggregated_count": 34}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 44712, "scanner": "repobility-threat-engine", "fingerprint": "0719a2dc32f02b43707c33ca7a01281aa0bcfa74d654786add217006f3a6ef92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0719a2dc32f02b43707c33ca7a01281aa0bcfa74d654786add217006f3a6ef92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/broadcast/broadcast-panel.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 44711, "scanner": "repobility-threat-engine", "fingerprint": "e80781f1767bf39661c38278d9a5be6123b18277b553cf430cf3d50cd164d968", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e80781f1767bf39661c38278d9a5be6123b18277b553cf430cf3d50cd164d968"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/panel/BotControlPanelLoading.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 44710, "scanner": "repobility-threat-engine", "fingerprint": "378c4767972ad7715aa69068f61b50918a7cdd8b3f50808d66016600559b5630", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|378c4767972ad7715aa69068f61b50918a7cdd8b3f50808d66016600559b5630"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/analytics/analytics-sources-chart.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 161 more): Same pattern found in 161 additional files. Review if needed."}, "properties": {"repobilityId": 44709, "scanner": "repobility-threat-engine", "fingerprint": "2357fcbf2a5b851f85d360db01c3263335634ead34fd8312f5783f1d85165f48", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 161 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2357fcbf2a5b851f85d360db01c3263335634ead34fd8312f5783f1d85165f48", "aggregated_count": 161}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 44708, "scanner": "repobility-threat-engine", "fingerprint": "449ed3da0667060979b7fb8df95d39020417e2c80f6f759550c9a20e6fc7f3b0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|449ed3da0667060979b7fb8df95d39020417e2c80f6f759550c9a20e6fc7f3b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/canvas/canvas-node/answer-callback-query-preview.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 44707, "scanner": "repobility-threat-engine", "fingerprint": "341a2f40bd3a37296fcf72eb82a68c0410da3a6110dd3bd4e9fc7343b66e02c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|341a2f40bd3a37296fcf72eb82a68c0410da3a6110dd3bd4e9fc7343b66e02c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/app-sidebar/components/sidebar-footer.tsx"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 44706, "scanner": "repobility-threat-engine", "fingerprint": "78994a5ece6abf36d005d9126ec5b370cbed78fe9959f9199a165ea3215975b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78994a5ece6abf36d005d9126ec5b370cbed78fe9959f9199a165ea3215975b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/analytics/analytics-sources-chart.tsx"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 297 more): Same pattern found in 297 additional files. Review if needed."}, "properties": {"repobilityId": 44705, "scanner": "repobility-threat-engine", "fingerprint": "32315651e15beeec508b2eec9694d198890405a78a72365d68bb01b455bfee15", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 297 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|32315651e15beeec508b2eec9694d198890405a78a72365d68bb01b455bfee15", "aggregated_count": 297}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 44704, "scanner": "repobility-threat-engine", "fingerprint": "e8af1cb1fa90995a18d81249bc8677928642ecbd6a8ef1276d6bb63b23da9aa9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8af1cb1fa90995a18d81249bc8677928642ecbd6a8ef1276d6bb63b23da9aa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/profile/BotProfileEditor.tsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 44703, "scanner": "repobility-threat-engine", "fingerprint": "8807ff7eaff7d6197c783170ea66778e0b5656edab01cb7ddd714cd079a66cd9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8807ff7eaff7d6197c783170ea66778e0b5656edab01cb7ddd714cd079a66cd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/ErrorBoundary.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 44702, "scanner": "repobility-threat-engine", "fingerprint": "51fd0f51dd15fc80ad2afc49d69e8a7c4c948b2dfc014daed3d45d729b20f6de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51fd0f51dd15fc80ad2afc49d69e8a7c4c948b2dfc014daed3d45d729b20f6de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/App.tsx"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 44931, "scanner": "repobility-supply-chain", "fingerprint": "0687e58b8cd173a04b99b6460da8d0231ed44c0079f589bbcbfe91db9051d007", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0687e58b8cd173a04b99b6460da8d0231ed44c0079f589bbcbfe91db9051d007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-tree.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 44930, "scanner": "repobility-supply-chain", "fingerprint": "8415fd9ce8589840008500efc94bc5ec8c237edcb66d61f838142bb7184e8a0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8415fd9ce8589840008500efc94bc5ec8c237edcb66d61f838142bb7184e8a0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 44929, "scanner": "repobility-supply-chain", "fingerprint": "03fcf41d340ad7283bc058977f4dfc70bb07ae1d71c4f7643bb2106f333f1010", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03fcf41d340ad7283bc058977f4dfc70bb07ae1d71c4f7643bb2106f333f1010"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/projects/:projectId/files has no auth: Express route DELETE /api/projects/:projectId/files declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44928, "scanner": "repobility-route-auth", "fingerprint": "7654046f4f25b17cd3e617500e28c418b0ee977f435f5ad26909d592e2e90fdd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7654046f4f25b17cd3e617500e28c418b0ee977f435f5ad26909d592e2e90fdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotIntegrationRoutes.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:projectId/files has no auth: Express route POST /api/projects/:projectId/files declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44927, "scanner": "repobility-route-auth", "fingerprint": "b4a6ae95962aa7ffcbbd2caa32c53f780e483c55d0bfb8f37a71c8a4e4fb3180", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b4a6ae95962aa7ffcbbd2caa32c53f780e483c55d0bfb8f37a71c8a4e4fb3180"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotIntegrationRoutes.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/user/templates/:id has no auth: Express route DELETE /api/user/templates/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44926, "scanner": "repobility-route-auth", "fingerprint": "dd95610075e2f8007399cb452b5302845e5970c4b501644d0d196188f14479e4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|dd95610075e2f8007399cb452b5302845e5970c4b501644d0d196188f14479e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupUserTemplateRoutes.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/user/templates/:id has no auth: Express route PATCH /api/user/templates/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44925, "scanner": "repobility-route-auth", "fingerprint": "d86945fd8e40218b24be0e022864b1c513c3cae62887e980bc1038ffca833ce4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d86945fd8e40218b24be0e022864b1c513c3cae62887e980bc1038ffca833ce4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupUserTemplateRoutes.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/user/templates has no auth: Express route POST /api/user/templates declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44924, "scanner": "repobility-route-auth", "fingerprint": "1bae32f1224c6e6f190452cddf2af453fd80535579f85d9ef7529f65c5427a7a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1bae32f1224c6e6f190452cddf2af453fd80535579f85d9ef7529f65c5427a7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupUserTemplateRoutes.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/push-to-github has no auth: Express route POST /api/push-to-github declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44923, "scanner": "repobility-route-auth", "fingerprint": "0dc4f70da75100cb022b8c4cd953d79a05dcb6f8e3121a0d960f585b5fbcd914", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0dc4f70da75100cb022b8c4cd953d79a05dcb6f8e3121a0d960f585b5fbcd914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupGithubPushRoute.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/auth/dev-login has no auth: Express route POST /api/auth/dev-login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44922, "scanner": "repobility-route-auth", "fingerprint": "d931d52b2182db2b245cd6c10a154f2e867613285ab8b0e7627922a44f7a16b0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d931d52b2182db2b245cd6c10a154f2e867613285ab8b0e7627922a44f7a16b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupAuthRoutes.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/auth/telegram/miniapp has no auth: Express route POST /api/auth/telegram/miniapp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44921, "scanner": "repobility-route-auth", "fingerprint": "6d3e79692b3b3f58527cb465d017f00fe121ec728858d29fba8417a408df2666", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6d3e79692b3b3f58527cb465d017f00fe121ec728858d29fba8417a408df2666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupAuthRoutes.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/auth/telegram has no auth: Express route POST /api/auth/telegram declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44920, "scanner": "repobility-route-auth", "fingerprint": "76d32b28ff7e85252562e728c68f737d527e31124151af0989ab5c7c77b104e8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|76d32b28ff7e85252562e728c68f737d527e31124151af0989ab5c7c77b104e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupAuthRoutes.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/bot-folders/cleanup has no auth: Express route POST /api/bot-folders/cleanup declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44919, "scanner": "repobility-route-auth", "fingerprint": "5bd6a1f2ddfd08b4ac900b4e139cb17368691ddb9b8ec657f31a1731f5b942b3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5bd6a1f2ddfd08b4ac900b4e139cb17368691ddb9b8ec657f31a1731f5b942b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/media/upload-from-url has no auth: Express route POST /api/media/upload-from-url declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44918, "scanner": "repobility-route-auth", "fingerprint": "b24ddb4cc09e4aceb5ba71119f12feeafbc905f7b26a816850caa94b61a7a7c7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b24ddb4cc09e4aceb5ba71119f12feeafbc905f7b26a816850caa94b61a7a7c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/export-structure-to-google-sheets has no auth: Express route POST /api/projects/:id/export-structure-to-google-sheets declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44917, "scanner": "repobility-route-auth", "fingerprint": "ce95336af308fab4bd2bb32c15824a84c7be408681082fe1ab5ff993f01b7ea1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ce95336af308fab4bd2bb32c15824a84c7be408681082fe1ab5ff993f01b7ea1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/export-to-google-sheets has no auth: Express route POST /api/projects/:id/export-to-google-sheets declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44916, "scanner": "repobility-route-auth", "fingerprint": "509fd35bc95558cd5523f87423d9fc352ebd85b11bd6dec88cdea48efc29edf1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|509fd35bc95558cd5523f87423d9fc352ebd85b11bd6dec88cdea48efc29edf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/settings/comments-generation has no auth: Express route POST /api/settings/comments-generation declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44913, "scanner": "repobility-route-auth", "fingerprint": "a6e0e02f89943c36457cafbf72a293473d254caabfc1533c49ad02e22463392f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a6e0e02f89943c36457cafbf72a293473d254caabfc1533c49ad02e22463392f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/projects/:id/token has no auth: Express route DELETE /api/projects/:id/token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44912, "scanner": "repobility-route-auth", "fingerprint": "c6f07939d327ccaa9537b7e860e545b8965d5b46ae99ba8878faf5238cad8d94", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c6f07939d327ccaa9537b7e860e545b8965d5b46ae99ba8878faf5238cad8d94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/generate has no auth: Express route POST /api/projects/:id/generate declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44911, "scanner": "repobility-route-auth", "fingerprint": "12c635adf064521d078bf758210baa7e53cdb1ec06d7ae166c19d62f50b9fe4f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|12c635adf064521d078bf758210baa7e53cdb1ec06d7ae166c19d62f50b9fe4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/export has no auth: Express route POST /api/projects/:id/export declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44910, "scanner": "repobility-route-auth", "fingerprint": "8c8b99a865b9f2c2a71f7934b454f902f211e890045d57bd0da80ee1aa3a2370", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8c8b99a865b9f2c2a71f7934b454f902f211e890045d57bd0da80ee1aa3a2370"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/projects/:id has no auth: Express route PUT /api/projects/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44909, "scanner": "repobility-route-auth", "fingerprint": "cd858780b2eca41fd527e12ef1eaa4149e830a7484750bb54c18b0e0f0d035a2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cd858780b2eca41fd527e12ef1eaa4149e830a7484750bb54c18b0e0f0d035a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/projects/reorder has no auth: Express route PUT /api/projects/reorder declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44908, "scanner": "repobility-route-auth", "fingerprint": "f43831af7a296d333675112c64288607eabca90c30fc410abc71ffc3e70ef9db", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f43831af7a296d333675112c64288607eabca90c30fc410abc71ffc3e70ef9db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects has no auth: Express route POST /api/projects declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44907, "scanner": "repobility-route-auth", "fingerprint": "2d819cc3635de373f00fc27f5fad4bac13c046828b195ba436bb686af55130db", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2d819cc3635de373f00fc27f5fad4bac13c046828b195ba436bb686af55130db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/projects/:projectId/tokens/:tokenId/logs has no auth: Express route DELETE /api/projects/:projectId/tokens/:tokenId/logs declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44906, "scanner": "repobility-route-auth", "fingerprint": "f10e4e638ca21211911525b0ff634eb38f1c9e31e7ec6d22dd4fff035744f845", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f10e4e638ca21211911525b0ff634eb38f1c9e31e7ec6d22dd4fff035744f845"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/bot/restart-all has no auth: Express route POST /api/projects/:id/bot/restart-all declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44905, "scanner": "repobility-route-auth", "fingerprint": "90133fc021578299ce6b3c459c6b81003b5056025dfdfe12056646e227e2f8f8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|90133fc021578299ce6b3c459c6b81003b5056025dfdfe12056646e227e2f8f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/bot/restart has no auth: Express route POST /api/projects/:id/bot/restart declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44904, "scanner": "repobility-route-auth", "fingerprint": "32ad1d3ea55099407c5ab74799a960ca92ab3edd932c1ffa3bc9196c4388aac7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|32ad1d3ea55099407c5ab74799a960ca92ab3edd932c1ffa3bc9196c4388aac7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/bot/stop has no auth: Express route POST /api/projects/:id/bot/stop declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44903, "scanner": "repobility-route-auth", "fingerprint": "5431f8e1a30f87acd269742829ecb0bc4584166872f6e09898356eea7862bad3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5431f8e1a30f87acd269742829ecb0bc4584166872f6e09898356eea7862bad3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/bot/start has no auth: Express route POST /api/projects/:id/bot/start declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 44902, "scanner": "repobility-route-auth", "fingerprint": "8d28765da2f282b6eede8fe0bf0fad3ec95c1ed343e252729f0e7458ed9f938d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8d28765da2f282b6eede8fe0bf0fad3ec95c1ed343e252729f0e7458ed9f938d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.handle_command` used but never assigned in __init__: Method `run` of class `BotWorker` reads `self.handle_command`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44899, "scanner": "repobility-ast-engine", "fingerprint": "f4d72364631f919db10850def4973151114c1f5ae62c31b57bf1056fe3736650", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f4d72364631f919db10850def4973151114c1f5ae62c31b57bf1056fe3736650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 349}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._shutdown` used but never assigned in __init__: Method `run` of class `BotWorker` reads `self._shutdown`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44898, "scanner": "repobility-ast-engine", "fingerprint": "8f65ff1b60909780a07502fceee9435cd6b9412d8c5ecae156d86ffa93ed216d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f65ff1b60909780a07502fceee9435cd6b9412d8c5ecae156d86ffa93ed216d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 362}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._stop_bot` used but never assigned in __init__: Method `_shutdown` of class `BotWorker` reads `self._stop_bot`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44897, "scanner": "repobility-ast-engine", "fingerprint": "4d98c02bed9bb86b0896b8d07328915fb37c3d9dfc84bcbcce4da5fa51ad3c6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4d98c02bed9bb86b0896b8d07328915fb37c3d9dfc84bcbcce4da5fa51ad3c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 306}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._stop_bot` used but never assigned in __init__: Method `_start_bot` of class `BotWorker` reads `self._stop_bot`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44896, "scanner": "repobility-ast-engine", "fingerprint": "7ad1caf654414d049526a44f616e5e5914d8afddbbdcb59058ad1824762dd976", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ad1caf654414d049526a44f616e5e5914d8afddbbdcb59058ad1824762dd976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._run_bot` used but never assigned in __init__: Method `_start_bot` of class `BotWorker` reads `self._run_bot`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44895, "scanner": "repobility-ast-engine", "fingerprint": "af1a5e1d77d623fd3218356643c89974d56604eb98cb7a53a052d3ce850c050e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|af1a5e1d77d623fd3218356643c89974d56604eb98cb7a53a052d3ce850c050e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._shutdown` used but never assigned in __init__: Method `handle_command` of class `BotWorker` reads `self._shutdown`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44894, "scanner": "repobility-ast-engine", "fingerprint": "3b18428186311b20f4fa17a8881f50952c691fdf20d0477953367ac468b31135", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b18428186311b20f4fa17a8881f50952c691fdf20d0477953367ac468b31135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit_status` used but never assigned in __init__: Method `handle_command` of class `BotWorker` reads `self._emit_status`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44893, "scanner": "repobility-ast-engine", "fingerprint": "297a0ad307a851116389479e5fd1f59bd4daf3802327ab1c31e91644beffa857", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|297a0ad307a851116389479e5fd1f59bd4daf3802327ab1c31e91644beffa857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._stop_bot` used but never assigned in __init__: Method `handle_command` of class `BotWorker` reads `self._stop_bot`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44892, "scanner": "repobility-ast-engine", "fingerprint": "da6723b57b9ec2b42cce44ceb126fff656e3d90ec0b72fb53997a0854759b77b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da6723b57b9ec2b42cce44ceb126fff656e3d90ec0b72fb53997a0854759b77b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._start_bot` used but never assigned in __init__: Method `handle_command` of class `BotWorker` reads `self._start_bot`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44891, "scanner": "repobility-ast-engine", "fingerprint": "7192cdf326d04ddb817f4e9e3db8ba5acf62d04ca981298861dbc24aa0f1871e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7192cdf326d04ddb817f4e9e3db8ba5acf62d04ca981298861dbc24aa0f1871e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.format` used but never assigned in __init__: Method `emit` of class `WorkerLogHandler` reads `self.format`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 44890, "scanner": "repobility-ast-engine", "fingerprint": "b806c51f76a7566edce3735e9194b2559229bde704c470667ae4753cd4762e1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b806c51f76a7566edce3735e9194b2559229bde704c470667ae4753cd4762e1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/python/worker.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 44872, "scanner": "repobility-journey-contract", "fingerprint": "bd730ee990c314a72245566ded8b9f039788a452a7e8242635ee2a3d06870bd1", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|54|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/telegram-client/components/qr-password-step-view.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 44871, "scanner": "repobility-journey-contract", "fingerprint": "64aaa093943267a0a5e2c164fd173d747657f7eda23997e3b3dcad809fe36046", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|294|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/properties/components/configuration/psql-connection-section.tsx"}, "region": {"startLine": 294}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 44870, "scanner": "repobility-journey-contract", "fingerprint": "7b43ed7354fac3a210d41e0843b34284218452aba209a121cc70558e2314b444", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|345|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/card/BotUserbotSettings.tsx"}, "region": {"startLine": 345}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/projects/:projectId/nodes."}, "properties": {"repobilityId": 44835, "scanner": "repobility-access-control", "fingerprint": "0094421b7c946269f66d43a9ac6938208b8e55b484b494ce7c7d646a57c78577", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:projectId/nodes", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|45|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/projects/:id."}, "properties": {"repobilityId": 44834, "scanner": "repobility-access-control", "fingerprint": "ef367a1b92fc1fa7627a19e3624125088fd425ebf148e6ceb0d0f00439045773", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|44|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/projects/:projectId/tokens/:tokenId/logs."}, "properties": {"repobilityId": 44833, "scanner": "repobility-access-control", "fingerprint": "27632f7470e7f50aabedc1177fbe467f7855369b4afa720b9ca187562f6b8c49", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:projectId/tokens/:tokenId/logs", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|42|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/projects/:id/bot/restart-all."}, "properties": {"repobilityId": 44832, "scanner": "repobility-access-control", "fingerprint": "4ffe3107b769121f0e6db18e6b61ccfa34a1fc039e16a22d028d3f67f3f0c65c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/bot/restart-all", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|41|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/projects/:id/bot/restart."}, "properties": {"repobilityId": 44831, "scanner": "repobility-access-control", "fingerprint": "9d17f9583dc9511390b2b2b857b07cbca9958bf525e3c019b2df218204c04a57", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/bot/restart", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|40|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/projects/:id/bot/stop."}, "properties": {"repobilityId": 44830, "scanner": "repobility-access-control", "fingerprint": "2f1086c6b1823127f5ee85a08588ec9058a05fa4ead57122d4ee7af40ed296e8", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/bot/stop", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|39|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/projects/:id/bot/start."}, "properties": {"repobilityId": 44829, "scanner": "repobility-access-control", "fingerprint": "697df3b2f057f95d9b06eb51277ba4419e34c7ae828ce374788415462026bb13", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/projects/:id/bot/start", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|38|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/launch/:launchId/logs."}, "properties": {"repobilityId": 44828, "scanner": "repobility-access-control", "fingerprint": "39f196ea5dca808eddf1bad4ec865016937a28bc210ab6324c7c88963df83c84", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/launch/:launchId/logs", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|37|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/tokens/:tokenId/launch-history."}, "properties": {"repobilityId": 44827, "scanner": "repobility-access-control", "fingerprint": "dbd90d7d8c74319aec0c3a2cce5467e0322d18492488bf3eb2badc29219471f8", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/tokens/:tokenId/launch-history", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|36|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/bot/tokens/:tokenId/photo."}, "properties": {"repobilityId": 44826, "scanner": "repobility-access-control", "fingerprint": "3da0b3eea24dc9b6e0f72eab021e9f2409370405863539ea5e3d1b78cddc59aa", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/bot/tokens/:tokenId/photo", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|35|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupBotManagementRoutes.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 44811, "scanner": "repobility-threat-engine", "fingerprint": "3327f6c5ef5fdf5643d3b9f0b88effbff9858212f22b62092c4ca1120c95f99d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3327f6c5ef5fdf5643d3b9f0b88effbff9858212f22b62092c4ca1120c95f99d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/generate_tree_json.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 44804, "scanner": "repobility-threat-engine", "fingerprint": "2843008f43002e9cca2ed50946265754f136382b9f5e7508cd3e3d4a20487735", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(f\"SELECT", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|tools/_list_tables.py|9|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_list_tables.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 44803, "scanner": "repobility-threat-engine", "fingerprint": "12c49628275a45774d264a77655451a73b48cfa28a980a4926b8de1c76c2342f", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(f\"SELECT", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|tools/_check_orphans.py|38|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_check_orphans.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 44802, "scanner": "repobility-threat-engine", "fingerprint": "c60619bc9e98352c9eff04b0b7a5c1ed5d746ce73320054f72a9654516964b82", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(f\"SELECT", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|tools/_check_db.py|17|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_check_db.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 44795, "scanner": "repobility-threat-engine", "fingerprint": "f2f4e08b600746e5188c9fd0159325347e860b930e62cdd5947d34b9e9d2b80d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.put(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2f4e08b600746e5188c9fd0159325347e860b930e62cdd5947d34b9e9d2b80d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_add_cryptoflow_159.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 44794, "scanner": "repobility-threat-engine", "fingerprint": "66e336b7b53e0296e905676021bd8241a6fb11cb4211394236cf026097f2c520", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.put(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66e336b7b53e0296e905676021bd8241a6fb11cb4211394236cf026097f2c520"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_add_crazybtc_159.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 44793, "scanner": "repobility-threat-engine", "fingerprint": "3038d20ae32d84721b978657b2665e25d67571076f230d072b470384e0624cea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.put(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3038d20ae32d84721b978657b2665e25d67571076f230d072b470384e0624cea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_add_casper_159.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 44792, "scanner": "repobility-threat-engine", "fingerprint": "201a8f6feda9bf8c2f7594d3d1a43f9a1f0d58787847ed986856219089281cdf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|201a8f6feda9bf8c2f7594d3d1a43f9a1f0d58787847ed986856219089281cdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/seed-templates.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 44789, "scanner": "repobility-threat-engine", "fingerprint": "a9d9a5a9fab25c16b7545a57be676e5425af7e8814e953781919893f964d5557", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/api/push-to-github\", async (_req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a9d9a5a9fab25c16b7545a57be676e5425af7e8814e953781919893f964d5557"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupGithubPushRoute.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 44788, "scanner": "repobility-threat-engine", "fingerprint": "a80a75092bbb7004c47b85edbfcf53a266ac76bb2d50df6252d270cbd82fe578", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/cache/clear', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a80a75092bbb7004c47b85edbfcf53a266ac76bb2d50df6252d270cbd82fe578"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/database/db-routes.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 44787, "scanner": "repobility-threat-engine", "fingerprint": "1f35e5ae7455948b9d14b981c0dff29a1a43c2f119f49f984b0cf64aa7cc1564", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f35e5ae7455948b9d14b981c0dff29a1a43c2f119f49f984b0cf64aa7cc1564"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/database/db-cache.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 44783, "scanner": "repobility-threat-engine", "fingerprint": "74385a134194c862d8c7843279b777cbbd523c6e932ec5ba308fd2a0ca882574", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"^\\w+@(\\w+\\.)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/utils/validate.py|5|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utils/validate.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 44781, "scanner": "repobility-threat-engine", "fingerprint": "7142ed5104a336301e84d3e5c173523495c5e954f2f94c7532d7b94d59a094ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7142ed5104a336301e84d3e5c173523495c5e954f2f94c7532d7b94d59a094ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/database/db.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 44780, "scanner": "repobility-threat-engine", "fingerprint": "3cfcd6bac8b9bbbf5f1d78d636808f520065f09db6f9297e238b0c22707e6fbc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3cfcd6bac8b9bbbf5f1d78d636808f520065f09db6f9297e238b0c22707e6fbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/migrate.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 44779, "scanner": "repobility-threat-engine", "fingerprint": "c3cdb993e622a2b094d1b9cf6a1422a9b9183ee0055f69933f7af44ff59b40cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3cdb993e622a2b094d1b9cf6a1422a9b9183ee0055f69933f7af44ff59b40cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/init-db.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 44778, "scanner": "repobility-threat-engine", "fingerprint": "bb2c0a721629668825c5a75b3202602a697dab7565701949588d8c92347da8af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb2c0a721629668825c5a75b3202602a697dab7565701949588d8c92347da8af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/force-push.sh"}, "region": {"startLine": 38}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 27 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=3, for=5, if=8, nested_bonus=11."}, "properties": {"repobilityId": 44771, "scanner": "repobility-threat-engine", "fingerprint": "f2513c6ff3fb63c5160bbb2cc55cbd14f53efce3e9d20ba341bd2705061dc7b3", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 27 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 8, "for": 5, "else": 3, "nested_bonus": 11}, "complexity": 27, "correlation_key": "fp|f2513c6ff3fb63c5160bbb2cc55cbd14f53efce3e9d20ba341bd2705061dc7b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/add_set_variable_test_nodes.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 44768, "scanner": "repobility-threat-engine", "fingerprint": "69305b3c178ee9c10d6310f8029ea5837433e743a31b29ddb56ac003174bcc70", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}=${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|69305b3c178ee9c10d6310f8029ea5837433e743a31b29ddb56ac003174bcc70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/auth/handlers/miniAppAuthHandler.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 44767, "scanner": "repobility-threat-engine", "fingerprint": "f0370c09173d4fa9d63e725512bc49066211f4eb0dd1e775c51b9393ec30ed71", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n            ([theme, prefix]) => `\n${prefix} [data-chart=${id}] {\n${colorConfig\n  .map(([key, i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f0370c09173d4fa9d63e725512bc49066211f4eb0dd1e775c51b9393ec30ed71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/ui/chart.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 44761, "scanner": "repobility-threat-engine", "fingerprint": "dd8c5e5275fbbfae2df65a1b129f15a8b135ca8b505d7bcac370ca0cf0bedd34", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`\ud83e\udd16 \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c \u0442\u043e\u043a\u0435\u043d \u0431\u043e\u0442\u0430: ${telegramBotToken.substring(0, 10)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|3|console.log : telegrambottoken.substring 0 10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fetch-user-avatars.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 44760, "scanner": "repobility-threat-engine", "fingerprint": "67dbdc9e4cafac80af84e1ec88370cca0432ee049f3329013c87900cc0017c35", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`\ud83e\udd16 \u0422\u043e\u043a\u0435\u043d \u0431\u043e\u0442\u0430: ${telegramBotToken.substring(0, 10)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|scripts/fetch-bot-avatar.ts|3|console.log : telegrambottoken.substring 0 10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fetch-bot-avatar.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 44759, "scanner": "repobility-threat-engine", "fingerprint": "30800d2af41aff5c4eedd0151ca1504e0da80eb735bd06c3bf7a4f4c2625f19a", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`git push https://${token}@github.com/${owner}/${repo}.git ${branch}\\n`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|scripts/auto-push-github.ts|9|console.log git push https:// token github.com/ owner / repo .git branch n"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/auto-push-github.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 44757, "scanner": "repobility-threat-engine", "fingerprint": "e6f4fbcfb60077247983d40c0bf8de25005da2f8b636adb8dced6a56695cc331", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e6f4fbcfb60077247983d40c0bf8de25005da2f8b636adb8dced6a56695cc331"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/find-unused-ts.mjs"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 44756, "scanner": "repobility-threat-engine", "fingerprint": "40245c832b656f5f347b3680e821ad5b0164fef97c7b4aa9d8f58378665c5906", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(pythonCode", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|40245c832b656f5f347b3680e821ad5b0164fef97c7b4aa9d8f58378665c5906"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/sidebar/parsePythonCodeToJson.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 44755, "scanner": "repobility-threat-engine", "fingerprint": "716920d9c92899a9c3c44b38a4653d5cd3b58eb5fd54140975e8a74835013d7f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(importState", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|716920d9c92899a9c3c44b38a4653d5cd3b58eb5fd54140975e8a74835013d7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/sidebar/hooks/useImportExport.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 44744, "scanner": "repobility-threat-engine", "fingerprint": "7ca0e0215f968c3e14819c403091e50c21c4075c94baacf157c98ad0f7f3f68f", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ca0e0215f968c3e14819c403091e50c21c4075c94baacf157c98ad0f7f3f68f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/inline-rich/utils/formatting-parser.tsx"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 44743, "scanner": "repobility-threat-engine", "fingerprint": "47e40c61fd3af4d36ff78bce43bf757efc18440aa96548d5c2229e82e84281df", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|47e40c61fd3af4d36ff78bce43bf757efc18440aa96548d5c2229e82e84281df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/inline-rich/utils/escape-html-content.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 44731, "scanner": "repobility-threat-engine", "fingerprint": "dc09d067ddd77007941b5a86811c5080ce78739749c02bb19b84a4761f7ae77c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(categoryName);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc09d067ddd77007941b5a86811c5080ce78739749c02bb19b84a4761f7ae77c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/sidebar/components/ComponentPalette.tsx"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 44730, "scanner": "repobility-threat-engine", "fingerprint": "b5d0dc70f09d6f74434170998d5c89ee0aff136d7ad5881a9768957732ec02de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5d0dc70f09d6f74434170998d5c89ee0aff136d7ad5881a9768957732ec02de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/header/hooks/use-telegram-auth.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 44729, "scanner": "repobility-threat-engine", "fingerprint": "787a290778e1315bcd19e00a7037654a7a006dfc229bb16bedcef7fa60594fb8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|787a290778e1315bcd19e00a7037654a7a006dfc229bb16bedcef7fa60594fb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/database/dialog/dialog-panel.tsx"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 44724, "scanner": "repobility-threat-engine", "fingerprint": "9c3b05fae3d953aa9c22209d2a422742fa7d7485e4c3da047feba83de3f7af00", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c3b05fae3d953aa9c22209d2a422742fa7d7485e4c3da047feba83de3f7af00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/canvas/canvas-node/media-attachments-preview.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 44723, "scanner": "repobility-threat-engine", "fingerprint": "ecc2a477a92ef7acefd6fea11b9701acb56a490cc2061a3bec3918bfbdb7de18", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ecc2a477a92ef7acefd6fea11b9701acb56a490cc2061a3bec3918bfbdb7de18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/broadcast/components/media-preview.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 44722, "scanner": "repobility-threat-engine", "fingerprint": "62ad11b9914a935ae6eb4ad61197b767c67d09fa1af2187673f53981bebae6ad", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62ad11b9914a935ae6eb4ad61197b767c67d09fa1af2187673f53981bebae6ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/editor/bot/card/BotLaunchSettings.tsx"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "[MINED114] Admin endpoint without auth: POST /api/projects/:id/admin-ids/remove: Express route on /admin path (/api/projects/:id/admin-ids/remove) with no auth middleware."}, "properties": {"repobilityId": 44915, "scanner": "repobility-route-auth", "fingerprint": "11de422b7a52c4f92d547dd9355adc24b82829a22e30ef2070a1c879bad05448", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|11de422b7a52c4f92d547dd9355adc24b82829a22e30ef2070a1c879bad05448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "[MINED114] Admin endpoint without auth: PUT /api/projects/:id/admin-ids: Express route on /admin path (/api/projects/:id/admin-ids) with no auth middleware."}, "properties": {"repobilityId": 44914, "scanner": "repobility-route-auth", "fingerprint": "99ce15b67e3569acb65f04a8f77fec1a97debd0f6487c9ced6bbb363e85bee73", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|99ce15b67e3569acb65f04a8f77fec1a97debd0f6487c9ced6bbb363e85bee73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/setupProjectRoutes.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 44808, "scanner": "repobility-threat-engine", "fingerprint": "dbd68103f90d469ce2242e67b4aa2224c2da72902d54f1831b690b740b4ac677", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dbd68103f90d469ce2242e67b4aa2224c2da72902d54f1831b690b740b4ac677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_list_tables.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 44807, "scanner": "repobility-threat-engine", "fingerprint": "ef05aa5f52aab088fb82d75f542de867e5e6d890e7ea9a64ad5b2fdacf7a9234", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef05aa5f52aab088fb82d75f542de867e5e6d890e7ea9a64ad5b2fdacf7a9234"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_check_orphans.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 44806, "scanner": "repobility-threat-engine", "fingerprint": "d74531071736e02384a53742c04fe7548a1bf96b90587b1b2eb98aefcc47bf98", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d74531071736e02384a53742c04fe7548a1bf96b90587b1b2eb98aefcc47bf98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_check_db.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 44786, "scanner": "repobility-threat-engine", "fingerprint": "367e2fad0a258a76aa50114974cc4e295bf2a2f9a38c28a27ad6c7ac5fe379e3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|367e2fad0a258a76aa50114974cc4e295bf2a2f9a38c28a27ad6c7ac5fe379e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/userTemplates/handlers/createTemplateHandler.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 44785, "scanner": "repobility-threat-engine", "fingerprint": "e80bebad1992f3a747a5c15d6e3fc84352995265da2bc2696fc7baf9f07a7a5b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e80bebad1992f3a747a5c15d6e3fc84352995265da2bc2696fc7baf9f07a7a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/database/EnhancedDatabaseStorage.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC010", "level": "error", "message": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "properties": {"repobilityId": 44777, "scanner": "repobility-threat-engine", "fingerprint": "dce8723465f2f970969c710d7d511d734f4a163a6c516485b153ea6739870938", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "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", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|scripts/force-push.sh|3|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/force-push.sh"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 44749, "scanner": "repobility-threat-engine", "fingerprint": "28f235aa576f56087aac98f07b8f1ab3a0a3f3d1061230623105087f208eb139", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://postgres:postgres@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|tools/_check_logs.py|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_check_logs.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 44748, "scanner": "repobility-threat-engine", "fingerprint": "b4b87a4014c0b5194aef1f812f934554202514a1b62d97fc01f4f73e3a8c65e0", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://postgres:postgres@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|tools/_check_db.py|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/_check_db.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 44747, "scanner": "repobility-threat-engine", "fingerprint": "be095bcb9a74203f0251f9f4e4b8969452c79aa448cf72a2b5efb53b09bb5b2d", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://postgres:Werty334@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/utils/update-project.js"}, "region": {"startLine": 2}}}]}]}]}