{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "When dependency installation comes after COPY ., any source change invalidates the dependency layer and makes Docker rebuild much more slowly."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `save_weight` has cognitive complexity 18 (SonarSource scale). Cognitive c", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `save_weight` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion a"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 18."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "Mutable default argument in `_get_scores` (dict)", "shortDescription": {"text": "Mutable default argument in `_get_scores` (dict)"}, "fullDescription": {"text": "`def _get_scores(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED076", "name": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message", "shortDescription": {"text": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 27 more): Same pattern found in 27 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "DKC004", "name": "Compose service joins the host IPC namespace", "shortDescription": {"text": "Compose service joins the host IPC namespace"}, "fullDescription": {"text": "Sharing host namespaces reduces isolation and can expose host processes, networking, or IPC resources."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC009", "name": "Compose service bind-mounts a sensitive host path", "shortDescription": {"text": "Compose service bind-mounts a sensitive host path"}, "fullDescription": {"text": "Mounting broad host paths exposes host files to the container and can turn app compromise into host compromise."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`", "shortDescription": {"text": "Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`"}, "fullDescription": {"text": "`uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `ascendai/cann:9.0.0-910b-ubuntu22.04-py3.11` unpinned", "shortDescription": {"text": "Workflow container/services image `ascendai/cann:9.0.0-910b-ubuntu22.04-py3.11` unpinned"}, "fullDescription": {"text": "`container/services image: ascendai/cann:9.0.0-910b-ubuntu22.04-py3.11` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `pytorch/pytorch:2.6.0-cuda12.4-cudnn9-devel` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `pytorch/pytorch:2.6.0-cuda12.4-cudnn9-devel` not pinned by digest"}, "fullDescription": {"text": "`FROM pytorch/pytorch:2.6.0-cuda12.4-cudnn9-devel` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.13.2`", "shortDescription": {"text": "pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.13.2`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.13.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI POST /v1/score/evaluation has no auth", "shortDescription": {"text": "FastAPI POST /v1/score/evaluation has no auth"}, "fullDescription": {"text": "Handler `create_score_evaluation` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "Blocking call `requests.post` inside async function `_generate`", "shortDescription": {"text": "Blocking call `requests.post` inside async function `_generate`"}, "fullDescription": {"text": "`requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.use_rslora` used but never assigned in __init__", "shortDescription": {"text": "`self.use_rslora` used but never assigned in __init__"}, "fullDescription": {"text": "Method `__post_init__` of class `FinetuningArguments` reads `self.use_rslora`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_phi4_template", "shortDescription": {"text": "Phantom test coverage: test_phi4_template"}, "fullDescription": {"text": "Test function `test_phi4_template` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/830"}, "properties": {"repository": "hiyouga/LlamaFactory", "repoUrl": "https://github.com/hiyouga/LlamaFactory", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 73875, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 73874, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 71, "file_path": "src/llamafactory/api/app.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 73873, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73856, "scanner": "repobility-docker", "fingerprint": "5957bceb625dedd57cb2baedd57f28e5043aecff69471c0cc3d6c95f08b840db", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASE_IMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5957bceb625dedd57cb2baedd57f28e5043aecff69471c0cc3d6c95f08b840db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-rocm/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 73855, "scanner": "repobility-docker", "fingerprint": "6bd7fa04669f5f715d7d88df114b58977c48ce20e01a61c6c218925cebbff10f", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 33 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 33, "correlation_key": "fp|6bd7fa04669f5f715d7d88df114b58977c48ce20e01a61c6c218925cebbff10f", "dependency_install_line": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-rocm/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 73853, "scanner": "repobility-docker", "fingerprint": "f596532f04db3afad2665f302338e1ffd12e71686f41fe6ec90de73ca13ee73e", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f596532f04db3afad2665f302338e1ffd12e71686f41fe6ec90de73ca13ee73e", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-rocm/Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73851, "scanner": "repobility-docker", "fingerprint": "a5fd508bc14c949c09e46c287a8fc74f5ecb5bf0cc2ffa4482c9dca1b6e4e2b6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASE_IMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a5fd508bc14c949c09e46c287a8fc74f5ecb5bf0cc2ffa4482c9dca1b6e4e2b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 73850, "scanner": "repobility-docker", "fingerprint": "3cd50b54b8774a7ffaba45d364827dbdfef34986500cfacc4c9e51a6b37b4ea0", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 33 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 33, "correlation_key": "fp|3cd50b54b8774a7ffaba45d364827dbdfef34986500cfacc4c9e51a6b37b4ea0", "dependency_install_line": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 73849, "scanner": "repobility-docker", "fingerprint": "a0cb50061150141cf98370bba6f94d96291f52f3c2add227aada3f937d114f13", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|a0cb50061150141cf98370bba6f94d96291f52f3c2add227aada3f937d114f13", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73847, "scanner": "repobility-docker", "fingerprint": "6b41c26e706df4227faf4c88f47444e6704cd87872c417748595a61002ddb137", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nvcr.io/nvidia/pytorch:25.06-py3", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6b41c26e706df4227faf4c88f47444e6704cd87872c417748595a61002ddb137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73837, "scanner": "repobility-docker", "fingerprint": "e2a9105ddc15fa1f8ff275caafdece0415c345b3257b1311e4d58b09e7fd1955", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "pytorch/pytorch:2.6.0-cuda12.4-cudnn9-devel", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e2a9105ddc15fa1f8ff275caafdece0415c345b3257b1311e4d58b09e7fd1955"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.base"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73829, "scanner": "repobility-docker", "fingerprint": "967458e383e28cac688498915e66b46aef72284975f0ed87c3cfe6ae77b5ee0b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASE_IMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|967458e383e28cac688498915e66b46aef72284975f0ed87c3cfe6ae77b5ee0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 73828, "scanner": "repobility-docker", "fingerprint": "ab89d5659acd8fa4950af263a5a0c57714c814f16fd01cc6e069abd9ad76ff69", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 32 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 32, "correlation_key": "fp|ab89d5659acd8fa4950af263a5a0c57714c814f16fd01cc6e069abd9ad76ff69", "dependency_install_line": 35}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 73827, "scanner": "repobility-docker", "fingerprint": "d9aee236b7b2bb4151f78a56fd7e86780f769d700b3ccd402f503bef52d5fe06", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d9aee236b7b2bb4151f78a56fd7e86780f769d700b3ccd402f503bef52d5fe06", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 73823, "scanner": "repobility-threat-engine", "fingerprint": "beca5a38ee63f0f1e39f1fbae38734d3b3ad7701b43906e8a8cae0d3eebb1904", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        with open(os.path.join(dataset_dir, DATA_CONFIG), encoding=\"utf-8\") as f:\n            r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|beca5a38ee63f0f1e39f1fbae38734d3b3ad7701b43906e8a8cae0d3eebb1904"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/webui/common.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 73818, "scanner": "repobility-threat-engine", "fingerprint": "8368ef9d2de4946a6438c45fc9030b9d9766fb2806ea27284d60b8bd4adef014", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8368ef9d2de4946a6438c45fc9030b9d9766fb2806ea27284d60b8bd4adef014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/webui/common.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 73817, "scanner": "repobility-threat-engine", "fingerprint": "0e26ae125ab12aa8e0a2f50efb177049cb8e62140cd6943299cbc80d123a2109", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e26ae125ab12aa8e0a2f50efb177049cb8e62140cd6943299cbc80d123a2109"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/extras/env.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 73810, "scanner": "repobility-threat-engine", "fingerprint": "19fd67ac8e9671b81bc5da91be3eb70b76fb5cdceb7a9de43a54ef6af727eae3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|79|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/eval/evaluator.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 73805, "scanner": "repobility-threat-engine", "fingerprint": "ee099860b0f042b15f10bf08518978974ac2e1aa2f58da7f959de2837629a2c2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def get_scores(\n        self,\n        batch_input: list[str],\n        **input_kwargs,\n    ) -> list[", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ee099860b0f042b15f10bf08518978974ac2e1aa2f58da7f959de2837629a2c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/vllm_engine.py"}, "region": {"startLine": 263}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `save_weight` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=3, for=3, if=4, nested_bonus=5, ternary=2."}, "properties": {"repobilityId": 73778, "scanner": "repobility-threat-engine", "fingerprint": "bc8dac84d7416c5cf766ce0a1e346c2f15b0312e8a8b3e2977199101c7182471", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 18 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "save_weight", "breakdown": {"if": 4, "for": 3, "elif": 1, "else": 3, "ternary": 2, "nested_bonus": 5}, "complexity": 18, "correlation_key": "fp|bc8dac84d7416c5cf766ce0a1e346c2f15b0312e8a8b3e2977199101c7182471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_baichuan2.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 73765, "scanner": "repobility-threat-engine", "fingerprint": "71f130f55aebc5a98c9250fe44dd94905746825e71b9027a1fb6e2b7da64dc58", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = targetUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|71f130f55aebc5a98c9250fe44dd94905746825e71b9027a1fb6e2b7da64dc58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/_static/js/switcher.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 73764, "scanner": "repobility-agent-runtime", "fingerprint": "e56cb35dc42bbe42785654545b7f0e714c54205bfe912af088eeb7e908b93fbd", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e56cb35dc42bbe42785654545b7f0e714c54205bfe912af088eeb7e908b93fbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_npu.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73733, "scanner": "repobility-ast-engine", "fingerprint": "1f586a3cd49142e040d7dd35309d2ce13e7d8608c50c315ebb29278c91c111d4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f586a3cd49142e040d7dd35309d2ce13e7d8608c50c315ebb29278c91c111d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/model/model_utils/valuehead.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73732, "scanner": "repobility-ast-engine", "fingerprint": "edcaec4933a142e3aebaf5005f98e5e2ffcbeeaf8159a7ee495e04f102e54db0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|edcaec4933a142e3aebaf5005f98e5e2ffcbeeaf8159a7ee495e04f102e54db0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/model/model_utils/valuehead.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73731, "scanner": "repobility-ast-engine", "fingerprint": "75003d30bbaed74fbd266d19be5cbf806ff679cd03f31d5db89fd4a71f8c80c6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75003d30bbaed74fbd266d19be5cbf806ff679cd03f31d5db89fd4a71f8c80c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/mca/workflow.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73730, "scanner": "repobility-ast-engine", "fingerprint": "108de46c145e92b0785d678f2becd2c8dc4bd78cc4c8704827b220b93b3f7d77", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|108de46c145e92b0785d678f2becd2c8dc4bd78cc4c8704827b220b93b3f7d77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/utils/packages.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73729, "scanner": "repobility-ast-engine", "fingerprint": "471fd8c6a53a6bd719cea45a7dd429483015ba3a77b5c1cfbf2131c5c6eeb7fd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|471fd8c6a53a6bd719cea45a7dd429483015ba3a77b5c1cfbf2131c5c6eeb7fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/webui/components/data.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73728, "scanner": "repobility-ast-engine", "fingerprint": "78a3e582ea6511f3210d4937816dea399d448f6168eebaca92a9ed69b61b298a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78a3e582ea6511f3210d4937816dea399d448f6168eebaca92a9ed69b61b298a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/webui/components/chatbot.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73727, "scanner": "repobility-ast-engine", "fingerprint": "a4734b01b083d25fe2838d3143f182f7876d310c1662c53df3e70e9a2091b13a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4734b01b083d25fe2838d3143f182f7876d310c1662c53df3e70e9a2091b13a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/webui/common.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73726, "scanner": "repobility-ast-engine", "fingerprint": "01f3dda838e4a6bf7fe24c9486e15c6a22bc13ea077d0140bbcf8a83b52fb4a7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01f3dda838e4a6bf7fe24c9486e15c6a22bc13ea077d0140bbcf8a83b52fb4a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/webui/common.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `_get_scores` (dict)"}, "properties": {"repobilityId": 73724, "scanner": "repobility-ast-engine", "fingerprint": "1e076e5d72476e0e3d615139b7fe6873e1e95b1bf9019e9ebe1fa90815b74618", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e076e5d72476e0e3d615139b7fe6873e1e95b1bf9019e9ebe1fa90815b74618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/hf_engine.py"}, "region": {"startLine": 314}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `_stream_chat` (dict)"}, "properties": {"repobilityId": 73723, "scanner": "repobility-ast-engine", "fingerprint": "9c3fa68779ea9f0b260bb04675f203c4966c264ddd7cc533acd82c9f03c808dc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9c3fa68779ea9f0b260bb04675f203c4966c264ddd7cc533acd82c9f03c808dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/hf_engine.py"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `_chat` (dict)"}, "properties": {"repobilityId": 73722, "scanner": "repobility-ast-engine", "fingerprint": "2fd89b923f7d3a23e83bb9e2e05071a4c86028a22407c6df399b19dd0c6ede89", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2fd89b923f7d3a23e83bb9e2e05071a4c86028a22407c6df399b19dd0c6ede89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/hf_engine.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `_process_args` (dict)"}, "properties": {"repobilityId": 73721, "scanner": "repobility-ast-engine", "fingerprint": "5f1b84f95f47ef3d17cbb314ee1ed70c501d3faaa0ba0708c84201ed9f1bbdcb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5f1b84f95f47ef3d17cbb314ee1ed70c501d3faaa0ba0708c84201ed9f1bbdcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/hf_engine.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73720, "scanner": "repobility-ast-engine", "fingerprint": "8476f93699aea5983e143ef32cf7be758ea325ff1852fc94dd078d22d6478ee7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8476f93699aea5983e143ef32cf7be758ea325ff1852fc94dd078d22d6478ee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/extras/packages.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `plot_loss` (list)"}, "properties": {"repobilityId": 73719, "scanner": "repobility-ast-engine", "fingerprint": "1ce23b981305d786dd68f4c3b58aba6278630f3e85cb10657360401dfa21192e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ce23b981305d786dd68f4c3b58aba6278630f3e85cb10657360401dfa21192e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/extras/ploting.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73718, "scanner": "repobility-ast-engine", "fingerprint": "5d9f66b0aa75df99aebc473bb8e6c021d54a5eded397b7e8cf6beba363d37b9f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d9f66b0aa75df99aebc473bb8e6c021d54a5eded397b7e8cf6beba363d37b9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/extras/misc.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `compare_model` (list)"}, "properties": {"repobilityId": 73717, "scanner": "repobility-ast-engine", "fingerprint": "71db8a08e604c77d5024691780b8b623cb26144b0773d80ac74d54d3a9a23315", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|71db8a08e604c77d5024691780b8b623cb26144b0773d80ac74d54d3a9a23315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/test_utils.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73716, "scanner": "repobility-ast-engine", "fingerprint": "f310be344c12533ec2d09edd8b3037c02296031a88294cfb582db74ff46b60c4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f310be344c12533ec2d09edd8b3037c02296031a88294cfb582db74ff46b60c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/trainer_utils.py"}, "region": {"startLine": 876}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73715, "scanner": "repobility-ast-engine", "fingerprint": "e39022f1cd7c7c1cfe3afc24d09087b50ef3647bc90d8b789c993fb431db2d69", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e39022f1cd7c7c1cfe3afc24d09087b50ef3647bc90d8b789c993fb431db2d69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/data/data_utils.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73714, "scanner": "repobility-ast-engine", "fingerprint": "759c93d7424d618b1956d620a8302acca091777e6d600b5222c9a74d521d2c02", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|759c93d7424d618b1956d620a8302acca091777e6d600b5222c9a74d521d2c02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/data/parser.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `_check_plugin` (dict)"}, "properties": {"repobilityId": 73689, "scanner": "repobility-ast-engine", "fingerprint": "318cddebe5eaf583d84f36e680b4c8abf82aba542e75a83f628f40bd3f6a3362", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|318cddebe5eaf583d84f36e680b4c8abf82aba542e75a83f628f40bd3f6a3362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73662, "scanner": "repobility-ast-engine", "fingerprint": "d0b87af28f48b59535c2d01a44ee0894e81032bd4bdeb48809ac77eab2819603", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d0b87af28f48b59535c2d01a44ee0894e81032bd4bdeb48809ac77eab2819603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/qwen_omni_merge.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 73661, "scanner": "repobility-ast-engine", "fingerprint": "412bf4441bfe5d88b72b3bcd35fbc1df884ba1a7763a8ab64d9e893bbb6e9638", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|412bf4441bfe5d88b72b3bcd35fbc1df884ba1a7763a8ab64d9e893bbb6e9638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/qwen_omni_merge.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73870, "scanner": "repobility-docker", "fingerprint": "1a025ac7995851d50dfadd5bf06296857e9bed93051297ccbd374ddf5a66fa2d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "llamafactory", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1a025ac7995851d50dfadd5bf06296857e9bed93051297ccbd374ddf5a66fa2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-rocm/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73869, "scanner": "repobility-docker", "fingerprint": "17cb1a5f042721fd0652b04f3e9a059b54695d1370ddd3e84e5ac58e540c142a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "llamafactory", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|17cb1a5f042721fd0652b04f3e9a059b54695d1370ddd3e84e5ac58e540c142a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-rocm/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73867, "scanner": "repobility-docker", "fingerprint": "500ee78e0dce8c9558d0f204de7e9b08ad3278c183eb5a30f59063fcaa724d0d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "llamafactory-a3", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|500ee78e0dce8c9558d0f204de7e9b08ad3278c183eb5a30f59063fcaa724d0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/docker-compose.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73865, "scanner": "repobility-docker", "fingerprint": "44b6d8f6ccfa627a5cd039b6a9f4b7791c71f1c49212d34a05844e52b71701db", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "llamafactory-a3", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|44b6d8f6ccfa627a5cd039b6a9f4b7791c71f1c49212d34a05844e52b71701db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/docker-compose.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73863, "scanner": "repobility-docker", "fingerprint": "df39ee5e07ef46e4c31ca1fec4e176c52c9c55f9845569b8e6cc488768908298", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "llamafactory-a2", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|df39ee5e07ef46e4c31ca1fec4e176c52c9c55f9845569b8e6cc488768908298"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73861, "scanner": "repobility-docker", "fingerprint": "bb5b6e3662a6a7023c822cf15be2da2891ec21a244ae33672ae195ad82338376", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "llamafactory-a2", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bb5b6e3662a6a7023c822cf15be2da2891ec21a244ae33672ae195ad82338376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73859, "scanner": "repobility-docker", "fingerprint": "b94fdfdef58797a37bed127b5eb83d91f38f7ffe9e546fde31343087fc8060d5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "llamafactory", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b94fdfdef58797a37bed127b5eb83d91f38f7ffe9e546fde31343087fc8060d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73858, "scanner": "repobility-docker", "fingerprint": "189cafec7e44ed80a266f15e253af68a25952a4c072c00c58dd6910bf0341ac5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "llamafactory", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|189cafec7e44ed80a266f15e253af68a25952a4c072c00c58dd6910bf0341ac5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 73854, "scanner": "repobility-docker", "fingerprint": "b0f38cd4f46b32c88e0479fe03ba6036c89b7b9fe8ed35fb7b2bbd0e79f77476", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b0f38cd4f46b32c88e0479fe03ba6036c89b7b9fe8ed35fb7b2bbd0e79f77476"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-rocm/Dockerfile"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 73846, "scanner": "repobility-docker", "fingerprint": "86ab3fe1f87b78b6d6a5b31093f2822a0f3ae9cbc4f57f149034fc8dd87b8a21", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|86ab3fe1f87b78b6d6a5b31093f2822a0f3ae9cbc4f57f149034fc8dd87b8a21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 73845, "scanner": "repobility-docker", "fingerprint": "4e0304c63fe3072c2377ee68e38c173f063c0e0448ed86a59cb61910f1b236bd", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4e0304c63fe3072c2377ee68e38c173f063c0e0448ed86a59cb61910f1b236bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 73844, "scanner": "repobility-docker", "fingerprint": "e9911c4cc2f4fdbf00f184862352aa9b6568b1ece6a462f18a96e9306003e119", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e9911c4cc2f4fdbf00f184862352aa9b6568b1ece6a462f18a96e9306003e119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 73843, "scanner": "repobility-docker", "fingerprint": "c1a2d829aaaad2d716f9d526c32d64b50abf371be2e4ecb7c910341e66b2be89", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c1a2d829aaaad2d716f9d526c32d64b50abf371be2e4ecb7c910341e66b2be89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 73842, "scanner": "repobility-docker", "fingerprint": "6bf29ad7be785ccc49a22491c26e209c3ad5ced7dfcfecb38b880097804c339f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|6bf29ad7be785ccc49a22491c26e209c3ad5ced7dfcfecb38b880097804c339f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 73841, "scanner": "repobility-docker", "fingerprint": "9d69aa05db8af57758754863adbe77b48f4d744e6d9d3b6661ad84240e975d61", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9d69aa05db8af57758754863adbe77b48f4d744e6d9d3b6661ad84240e975d61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 73840, "scanner": "repobility-docker", "fingerprint": "894e1b78df7e581931a81b087496114428b495c19ef4abc1aa2e72d4c1dac250", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|894e1b78df7e581931a81b087496114428b495c19ef4abc1aa2e72d4c1dac250"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 73839, "scanner": "repobility-docker", "fingerprint": "9cfdd6beb5485d3b3b438297ca67807b67788528d7f3292527f2173a87dda76d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9cfdd6beb5485d3b3b438297ca67807b67788528d7f3292527f2173a87dda76d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 73838, "scanner": "repobility-docker", "fingerprint": "25280dcd60ea22a4b41595d431ccc61365e7d2a5c91d28f2784876086c8c58f3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|25280dcd60ea22a4b41595d431ccc61365e7d2a5c91d28f2784876086c8c58f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 73836, "scanner": "repobility-docker", "fingerprint": "61dc81d420bfa2e55079b9267da610e5fcb9dcb4c22c2858bd295581a7f1239d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|61dc81d420bfa2e55079b9267da610e5fcb9dcb4c22c2858bd295581a7f1239d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.base"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 73835, "scanner": "repobility-docker", "fingerprint": "da72dd285c033489c7de618646af16c877738c48e447dddad2f2cab0618a65e1", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|da72dd285c033489c7de618646af16c877738c48e447dddad2f2cab0618a65e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.base"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 73834, "scanner": "repobility-docker", "fingerprint": "ed8a706af13676fca5371ae2daa40ede76cf110102b2647df745dbc4345540c1", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ed8a706af13676fca5371ae2daa40ede76cf110102b2647df745dbc4345540c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.base"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 73833, "scanner": "repobility-docker", "fingerprint": "a09d10eff2b1693b4afbf8832b87acc765c304ed73ee98ea69d58a702bedaa8c", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|a09d10eff2b1693b4afbf8832b87acc765c304ed73ee98ea69d58a702bedaa8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.base"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 73832, "scanner": "repobility-docker", "fingerprint": "682da0bef1f46a6aabf5757c8d22e5cbe502db6ecd031df0f1994fc1db8d9c5a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|682da0bef1f46a6aabf5757c8d22e5cbe502db6ecd031df0f1994fc1db8d9c5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.base"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 73831, "scanner": "repobility-docker", "fingerprint": "cc6d701ed0958246afa375c8c321cb88c99476991d9a152f36060ead9c4de0d9", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|cc6d701ed0958246afa375c8c321cb88c99476991d9a152f36060ead9c4de0d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.base"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 73830, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73660, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76ad03d4927fcdbbc7f74bb2f6a9ec5d4710c9de8b050615837e3f319daf8935", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/conftest.py", "duplicate_line": 13, "correlation_key": "fp|76ad03d4927fcdbbc7f74bb2f6a9ec5d4710c9de8b050615837e3f319daf8935"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests_v1/conftest.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73659, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70a5a0622a61bd34b86ea88c2e86041277bee4dabab36e2025e86434b642af15", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/extras/logging.py", "duplicate_line": 62, "correlation_key": "fp|70a5a0622a61bd34b86ea88c2e86041277bee4dabab36e2025e86434b642af15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/utils/logging.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73658, "scanner": "repobility-ai-code-hygiene", "fingerprint": "496d78cc1375e42eaded925e15ab89025a13934101434e348a693166a9a66fd2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/chat/chat_model.py", "duplicate_line": 125, "correlation_key": "fp|496d78cc1375e42eaded925e15ab89025a13934101434e348a693166a9a66fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/samplers/cli_sampler.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73657, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38dd77b1987dea060ca00030e1e6cf93c02c967c20c2e3bb5cea5b25cd4ea43c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/launcher.py", "duplicate_line": 40, "correlation_key": "fp|38dd77b1987dea060ca00030e1e6cf93c02c967c20c2e3bb5cea5b25cd4ea43c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/launcher.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73656, "scanner": "repobility-ai-code-hygiene", "fingerprint": "afc8b79a5dfebf5e6df49e9a05f7c70eab8e1fa0ee80030f858893a72b0bb760", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/rm/workflow.py", "duplicate_line": 40, "correlation_key": "fp|afc8b79a5dfebf5e6df49e9a05f7c70eab8e1fa0ee80030f858893a72b0bb760"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/sft/workflow.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73655, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d368620e40b3e97cd1978d259798a3064f93c2d04b48518b0918feb5ef4739f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/hyper_parallel/workflow.py", "duplicate_line": 110, "correlation_key": "fp|d368620e40b3e97cd1978d259798a3064f93c2d04b48518b0918feb5ef4739f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/sft/workflow.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73654, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46c3c37561859355b4c88758c1d5ae07bed86ebeff8df4bac5f778a2a779c66e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/dpo/trainer.py", "duplicate_line": 85, "correlation_key": "fp|46c3c37561859355b4c88758c1d5ae07bed86ebeff8df4bac5f778a2a779c66e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/sft/trainer.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73653, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e583236f28cd35217208873f6b917161d9ee5072b7875d7b792bc5237d1fe7e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/pt/trainer.py", "duplicate_line": 36, "correlation_key": "fp|2e583236f28cd35217208873f6b917161d9ee5072b7875d7b792bc5237d1fe7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/sft/trainer.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73652, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7ebf85a985968308da8f574bb3945ec176b85d64a0208d4791266420e8492af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/dpo/trainer.py", "duplicate_line": 85, "correlation_key": "fp|e7ebf85a985968308da8f574bb3945ec176b85d64a0208d4791266420e8492af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/rm/trainer.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73651, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a275f2596ee8a8f0b81d670b2be64a62cde1a71ad9d1a6485a914dc9f85803a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/kto/trainer.py", "duplicate_line": 76, "correlation_key": "fp|a275f2596ee8a8f0b81d670b2be64a62cde1a71ad9d1a6485a914dc9f85803a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/rm/trainer.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73650, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4781552516a712a15f671c6a281f1f8564e5bef82c7df6a37246b5ff4bfb7f35", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/hyper_parallel/workflow.py", "duplicate_line": 46, "correlation_key": "fp|4781552516a712a15f671c6a281f1f8564e5bef82c7df6a37246b5ff4bfb7f35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/pt/workflow.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73649, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7034698b3e32046cef41a1816494adea1f533379275b099393c9097b6b422e1e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/dpo/trainer.py", "duplicate_line": 85, "correlation_key": "fp|7034698b3e32046cef41a1816494adea1f533379275b099393c9097b6b422e1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/pt/trainer.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73648, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e79e5f5bb07db6cbf08b69923d17be9618d1cc2fe1dce9ababb417750f6bfea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/dpo/workflow.py", "duplicate_line": 48, "correlation_key": "fp|1e79e5f5bb07db6cbf08b69923d17be9618d1cc2fe1dce9ababb417750f6bfea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/mca/workflow.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73647, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7352b69b5d523bd4a0749d00ec087e63548cd52178aee91fcb0e6db42447fe6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/hyper_parallel/workflow.py", "duplicate_line": 47, "correlation_key": "fp|f7352b69b5d523bd4a0749d00ec087e63548cd52178aee91fcb0e6db42447fe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/kto/workflow.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73646, "scanner": "repobility-ai-code-hygiene", "fingerprint": "297957cfbf79bc5bf8be2086ed1e5117fe193483c94792cfd1467411a2930fa1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/train/dpo/trainer.py", "duplicate_line": 21, "correlation_key": "fp|297957cfbf79bc5bf8be2086ed1e5117fe193483c94792cfd1467411a2930fa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/kto/trainer.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73645, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9639c86fa6e014bec93a7dc19308e8e771b2701c76380855c6f0df16eaabb233", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/data/processor/supervised.py", "duplicate_line": 78, "correlation_key": "fp|9639c86fa6e014bec93a7dc19308e8e771b2701c76380855c6f0df16eaabb233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/data/processor/unsupervised.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73644, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34c48f2b7f18db1eab3bb7bdaa7473baec366a71b1a803618b86a5c1bd1cf07c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/llamafactory/chat/sglang_engine.py", "duplicate_line": 39, "correlation_key": "fp|34c48f2b7f18db1eab3bb7bdaa7473baec366a71b1a803618b86a5c1bd1cf07c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/vllm_engine.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73643, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1866a21a146c6ba44c32e9ebdca5a3869c8275e7f52964eb02a3a089bc4299a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/convert_ckpt/llamafy_baichuan2.py", "duplicate_line": 36, "correlation_key": "fp|1866a21a146c6ba44c32e9ebdca5a3869c8275e7f52964eb02a3a089bc4299a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/llama_pro.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73642, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78930e1a2e8af1154a23509c235f79554f79267c00f348e8a7f438e8c3f8fcbe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/convert_ckpt/llamafy_baichuan2.py", "duplicate_line": 29, "correlation_key": "fp|78930e1a2e8af1154a23509c235f79554f79267c00f348e8a7f438e8c3f8fcbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_qwen.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 73852, "scanner": "repobility-docker", "fingerprint": "47a36034aabf8756533fd7b5f5562520b01d76b2279dac2d1160fae46a2fb763", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|47a36034aabf8756533fd7b5f5562520b01d76b2279dac2d1160fae46a2fb763"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-rocm/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 73848, "scanner": "repobility-docker", "fingerprint": "ae58e57efd1be6c67c5396d0938796542cecf1fa4d2c92dbc68689f288fa55f5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ae58e57efd1be6c67c5396d0938796542cecf1fa4d2c92dbc68689f288fa55f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 73826, "scanner": "repobility-docker", "fingerprint": "e154c2616c71c21b48a0c12276c21ab1b257a8b28b19706edd66e460b0f64d09", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e154c2616c71c21b48a0c12276c21ab1b257a8b28b19706edd66e460b0f64d09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 73825, "scanner": "repobility-threat-engine", "fingerprint": "39a1870d2455e32a78bc67986c411d24aa566b337565e24207820713dc3956f2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39a1870d2455e32a78bc67986c411d24aa566b337565e24207820713dc3956f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/webui.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 73824, "scanner": "repobility-threat-engine", "fingerprint": "2c8df384584ecacce7bb65798e203dfd3f4b19cddceb345faa6ec04c4215a9bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c8df384584ecacce7bb65798e203dfd3f4b19cddceb345faa6ec04c4215a9bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/webui/interface.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 73822, "scanner": "repobility-threat-engine", "fingerprint": "8de6a12e57a03da50345ddfffaa0d85cdf132b117174964256467b7dc08c0c99", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8de6a12e57a03da50345ddfffaa0d85cdf132b117174964256467b7dc08c0c99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/plugins/trainer_plugins/optimizer.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 73821, "scanner": "repobility-threat-engine", "fingerprint": "8e083fa3c787f4f547c8229db2875c7bb9d59ab0c9d4f2ad96ba3459e17dad34", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e083fa3c787f4f547c8229db2875c7bb9d59ab0c9d4f2ad96ba3459e17dad34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/plugins/trainer_plugins/lr_scheduler.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 73820, "scanner": "repobility-threat-engine", "fingerprint": "8e52f800f3d7a371ae1accb7b6bbada97c87ba083d436a117c7122eecb7d4f97", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e52f800f3d7a371ae1accb7b6bbada97c87ba083d436a117c7122eecb7d4f97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/utils/callbacks/trainer_callback.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 73819, "scanner": "repobility-threat-engine", "fingerprint": "d84519724b5c5a8bf782500f24822336bd3407b3b6d9a2cf87ef3cc08d6756af", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d84519724b5c5a8bf782500f24822336bd3407b3b6d9a2cf87ef3cc08d6756af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/accelerator/interface.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 73816, "scanner": "repobility-threat-engine", "fingerprint": "c0243c95a960df79d347d546f02c8d708977edbd4a97478c529e24c680ef3789", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c0243c95a960df79d347d546f02c8d708977edbd4a97478c529e24c680ef3789", "aggregated_count": 4}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 73812, "scanner": "repobility-threat-engine", "fingerprint": "aaf9f700f597fd829b7659c888304949014382940dceac7e4f5f96de18c73ac5", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|106|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/sft/trainer.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 73811, "scanner": "repobility-threat-engine", "fingerprint": "3a86857704dcccec23414dfca8e7736da4bb219b9fbafd9749848ffc3072defb", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|211|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/model/loader.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 73809, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 73808, "scanner": "repobility-threat-engine", "fingerprint": "19fb72c65a0a1d39686b966d10471ee0e25ee7fdf2e6c2f9df8c15663606e9ab", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "print(\"inputs:\\n{}\".format(self.tokenizer.decode(example[\"input_ids\"], skip_special_tokens=False)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|13|print inputs: n .format self.tokenizer.decode example input_ids skip_special_tokens false"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/data/processor/supervised.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 73807, "scanner": "repobility-threat-engine", "fingerprint": "40e47f68ab0164770e28e83eea7b7c0b86e46a9655616258561ab6368e685246", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "print(\"inputs:\\n{}\".format(self.tokenizer.decode(example[\"input_ids\"], skip_special_tokens=False)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|5|print inputs: n .format self.tokenizer.decode example input_ids skip_special_tokens false"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/data/processor/pretrain.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 73806, "scanner": "repobility-threat-engine", "fingerprint": "30c59cee811fec35fa2c59d1e01f97eca8b8c497002b24580427522baa45a6e5", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "print(\"inputs:\\n{}\".format(self.tokenizer.decode(example[\"input_ids\"], skip_special_tokens=False)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|12|print inputs: n .format self.tokenizer.decode example input_ids skip_special_tokens false"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/data/processor/feedback.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED076", "level": "none", "message": {"text": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message."}, "properties": {"repobilityId": 73804, "scanner": "repobility-threat-engine", "fingerprint": "a309ba0e574b63e5541e17c5fea19ac2cfc172b6ae36043a02efaae08fc7bc3e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "catch-and-reraise-noop", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348079+00:00", "triaged_in_corpus": 10, "observations_count": 8333, "ai_coder_pattern_id": 45}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a309ba0e574b63e5541e17c5fea19ac2cfc172b6ae36043a02efaae08fc7bc3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/samplers/cli_sampler.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED076", "level": "none", "message": {"text": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message."}, "properties": {"repobilityId": 73803, "scanner": "repobility-threat-engine", "fingerprint": "7436b25aec88fa35efe12126c6cbfeda4ace72e94e73e08fa8950e480a645a4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "catch-and-reraise-noop", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348079+00:00", "triaged_in_corpus": 10, "observations_count": 8333, "ai_coder_pattern_id": 45}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7436b25aec88fa35efe12126c6cbfeda4ace72e94e73e08fa8950e480a645a4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/chat_model.py"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 73802, "scanner": "repobility-threat-engine", "fingerprint": "8bae08234a4989d758b644c4243bd0544e93df2325a580b9e750ad487db48009", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8bae08234a4989d758b644c4243bd0544e93df2325a580b9e750ad487db48009", "aggregated_count": 2}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 73801, "scanner": "repobility-threat-engine", "fingerprint": "b76becb9e9ac737cc8bdfb47ba4ee5de195932374e3737f30e45a2998082e869", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b76becb9e9ac737cc8bdfb47ba4ee5de195932374e3737f30e45a2998082e869"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/webui/components/chatbot.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 73800, "scanner": "repobility-threat-engine", "fingerprint": "8c37f4c892da4fc9b974d26b1a1333816e076b15d9708fe44345b6b6c88456f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c37f4c892da4fc9b974d26b1a1333816e076b15d9708fe44345b6b6c88456f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/v1/samplers/cli_sampler.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 73799, "scanner": "repobility-threat-engine", "fingerprint": "a88d41e2a847a958e61d206e9456f3ca2cff906895936ba5dc85e2ef58385454", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a88d41e2a847a958e61d206e9456f3ca2cff906895936ba5dc85e2ef58385454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/chat_model.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 73798, "scanner": "repobility-threat-engine", "fingerprint": "a130f88d7b8e45a3984060f36c319108f9fce8553381d74bb5393b4e50f72972", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a130f88d7b8e45a3984060f36c319108f9fce8553381d74bb5393b4e50f72972"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/api/chat.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 73797, "scanner": "repobility-threat-engine", "fingerprint": "1a65322edf1866e87c1c435a91a8c0787eb1267a862451354b9bc2358cef4f2d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a65322edf1866e87c1c435a91a8c0787eb1267a862451354b9bc2358cef4f2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/ppo/ppo_utils.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 73796, "scanner": "repobility-threat-engine", "fingerprint": "6f023cadbbdcb9d929d373202341a0c676fe8516b32c0521ae7cec2a045a8282", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f023cadbbdcb9d929d373202341a0c676fe8516b32c0521ae7cec2a045a8282"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/api/chat.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 73793, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 73789, "scanner": "repobility-threat-engine", "fingerprint": "f924fade838c95d0d4607cb3ae6a43ebaa01ba355d2992731239e3acb2b10746", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f924fade838c95d0d4607cb3ae6a43ebaa01ba355d2992731239e3acb2b10746", "aggregated_count": 27}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 73788, "scanner": "repobility-threat-engine", "fingerprint": "8b7a777e0b1a93dfff2725e2840de650a68e0aa72fb0489431a7e09fbd1b40b9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b7a777e0b1a93dfff2725e2840de650a68e0aa72fb0489431a7e09fbd1b40b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/stat_utils/cal_ppl.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 73787, "scanner": "repobility-threat-engine", "fingerprint": "f9191b22b31960e68e4b338eda833df0843c2cc2ebbc7e96f9dbac849b10b3b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9191b22b31960e68e4b338eda833df0843c2cc2ebbc7e96f9dbac849b10b3b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/stat_utils/cal_mfu.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 73786, "scanner": "repobility-threat-engine", "fingerprint": "e013bfc0d1fd62ddb2d8ce4f225386d74aed786f3ff6f771f2d1fb271cf065c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e013bfc0d1fd62ddb2d8ce4f225386d74aed786f3ff6f771f2d1fb271cf065c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/stat_utils/cal_lr.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 73785, "scanner": "repobility-threat-engine", "fingerprint": "71d23e8be37aca040a52b298288139d03b0a2ee5e2166ea3b7b0733498602571", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|71d23e8be37aca040a52b298288139d03b0a2ee5e2166ea3b7b0733498602571", "aggregated_count": 3}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 73784, "scanner": "repobility-threat-engine", "fingerprint": "0bcc6abd3bde8fcb5997010fd6ab59ec4dc2f7450f5050fee3ba18a8e8f4fa5d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0bcc6abd3bde8fcb5997010fd6ab59ec4dc2f7450f5050fee3ba18a8e8f4fa5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/data/processor/pairwise.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 73783, "scanner": "repobility-threat-engine", "fingerprint": "c3aef182d88c817c755119d36d6fd8b9d5ed0a999f82e962e5fa145355351c8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3aef182d88c817c755119d36d6fd8b9d5ed0a999f82e962e5fa145355351c8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/data/processor/feedback.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 73782, "scanner": "repobility-threat-engine", "fingerprint": "53bd9dc810523342035a0e8d731dca2b49f7e25a0458cec1d8992b997ad176de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53bd9dc810523342035a0e8d731dca2b49f7e25a0458cec1d8992b997ad176de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/stat_utils/cal_lr.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 85 more): Same pattern found in 85 additional files. Review if needed."}, "properties": {"repobilityId": 73781, "scanner": "repobility-threat-engine", "fingerprint": "7c5e4da366adccc7ef81d6f37d14b62312a4acc17ad37f689910af322e928ef0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 85 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "save_weight", "breakdown": {"if": 4, "for": 3, "elif": 1, "else": 3, "ternary": 2, "nested_bonus": 5}, "aggregated": true, "complexity": 18, "correlation_key": "fp|7c5e4da366adccc7ef81d6f37d14b62312a4acc17ad37f689910af322e928ef0", "aggregated_count": 85}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 73775, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "SEC011", "level": "none", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 73767, "scanner": "repobility-threat-engine", "fingerprint": "8a10085397330c7a3f67ccab95c56e896ea22b97d5870c4ee9d693b28276b88b", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "evidence": {"match": "torch.load(", "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|52|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/model/model_utils/valuehead.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC011", "level": "none", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 73766, "scanner": "repobility-threat-engine", "fingerprint": "5a652366cb97374f0640b991df77355ffa26ddfaf5094cda0674e1fcfad10113", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "evidence": {"match": "torch.load(", "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|35|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_baichuan2.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC004", "level": "error", "message": {"text": "Compose service joins the host IPC namespace"}, "properties": {"repobilityId": 73868, "scanner": "repobility-docker", "fingerprint": "10092a5190f47c4dfe8974430af79db4c5f2d246b62e58cce4b288f6452a4f3f", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ipc: host was set on the service.", "evidence": {"rule_id": "DKC004", "scanner": "repobility-docker", "service": "llamafactory", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|10092a5190f47c4dfe8974430af79db4c5f2d246b62e58cce4b288f6452a4f3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-rocm/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 73866, "scanner": "repobility-docker", "fingerprint": "ba614cca172ff2cfd8fb3385811c0d9c79b4c30d6cccd4eb57f7d0924ee9a901", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/ascend_install.info", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "llamafactory-a3", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ba614cca172ff2cfd8fb3385811c0d9c79b4c30d6cccd4eb57f7d0924ee9a901"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/docker-compose.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC004", "level": "error", "message": {"text": "Compose service joins the host IPC namespace"}, "properties": {"repobilityId": 73864, "scanner": "repobility-docker", "fingerprint": "a3b5001c1454bad4b0f16b1fc5abc44b12b902b12e50b7a45636b5b36db0c1d2", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ipc: host was set on the service.", "evidence": {"rule_id": "DKC004", "scanner": "repobility-docker", "service": "llamafactory-a3", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a3b5001c1454bad4b0f16b1fc5abc44b12b902b12e50b7a45636b5b36db0c1d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/docker-compose.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 73862, "scanner": "repobility-docker", "fingerprint": "0926413741c002187abfbd4e5143f27446485b444513556b72f4573179c4c50b", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/ascend_install.info", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "llamafactory-a2", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0926413741c002187abfbd4e5143f27446485b444513556b72f4573179c4c50b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC004", "level": "error", "message": {"text": "Compose service joins the host IPC namespace"}, "properties": {"repobilityId": 73860, "scanner": "repobility-docker", "fingerprint": "ddb56659e804a9714bd49d483bab6e022ebdbf5216cf569dde0bf601dbc165f4", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ipc: host was set on the service.", "evidence": {"rule_id": "DKC004", "scanner": "repobility-docker", "service": "llamafactory-a2", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ddb56659e804a9714bd49d483bab6e022ebdbf5216cf569dde0bf601dbc165f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-npu/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC004", "level": "error", "message": {"text": "Compose service joins the host IPC namespace"}, "properties": {"repobilityId": 73857, "scanner": "repobility-docker", "fingerprint": "e6a96dba9ce9e3683af8e564a7910f35b82e49af4c1610ffb7704a6d462245cf", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ipc: host was set on the service.", "evidence": {"rule_id": "DKC004", "scanner": "repobility-docker", "service": "llamafactory", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e6a96dba9ce9e3683af8e564a7910f35b82e49af4c1610ffb7704a6d462245cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 73815, "scanner": "repobility-threat-engine", "fingerprint": "baf651a076f503c5fd936957f912657b0072be1086b4924ee3715b31ab5d768c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|baf651a076f503c5fd936957f912657b0072be1086b4924ee3715b31ab5d768c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/model/model_utils/quantization.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 73814, "scanner": "repobility-threat-engine", "fingerprint": "334791c36b55c1ea3c11eba71160d2363b2b42944ec1a7f982a3caf19f438285", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|334791c36b55c1ea3c11eba71160d2363b2b42944ec1a7f982a3caf19f438285"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/extras/logging.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 73813, "scanner": "repobility-threat-engine", "fingerprint": "9f09a5a8bdd34e4e5e00a9a371f234908b6a6e5bc7be11426dd620e1123d795a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f09a5a8bdd34e4e5e00a9a371f234908b6a6e5bc7be11426dd620e1123d795a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/extras/env.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 73795, "scanner": "repobility-threat-engine", "fingerprint": "34801a4e1969a4563487094f70e92c3cec3c8bc1b5dedf263df07712e8a8890f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|34801a4e1969a4563487094f70e92c3cec3c8bc1b5dedf263df07712e8a8890f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/train/ppo/ppo_utils.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 73794, "scanner": "repobility-threat-engine", "fingerprint": "4813672ac0c3069747af2acb83176e181597b2a123e9cc8d347c49754646296f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4813672ac0c3069747af2acb83176e181597b2a123e9cc8d347c49754646296f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/api/chat.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 73792, "scanner": "repobility-threat-engine", "fingerprint": "f002a3c921fd90852aa5e5cb36f0bc373c2c87d7c02ce5835f158eb08cc287d8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(B", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f002a3c921fd90852aa5e5cb36f0bc373c2c87d7c02ce5835f158eb08cc287d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/api/protocol.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 73791, "scanner": "repobility-threat-engine", "fingerprint": "4f9ea32dd04d59baae5ce4f14dd03cb97c8de37c6a2588243758f3ac72f67562", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4f9ea32dd04d59baae5ce4f14dd03cb97c8de37c6a2588243758f3ac72f67562"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/api/common.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 73790, "scanner": "repobility-threat-engine", "fingerprint": "770a8641ed7afaaadaa16af688ce48513feb9fbcc264f8fdf0d567c59ca94a8e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(image_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|770a8641ed7afaaadaa16af688ce48513feb9fbcc264f8fdf0d567c59ca94a8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/api/chat.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `block_expansion` has cognitive complexity 35 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=3, for=5, if=9, nested_bonus=16, ternary=2."}, "properties": {"repobilityId": 73780, "scanner": "repobility-threat-engine", "fingerprint": "dc1a396bc2d17c0bcab88b6e45d023b8b1bedcddca447d50dbfe9d978097c573", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 35 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "block_expansion", "breakdown": {"if": 9, "for": 5, "else": 3, "ternary": 2, "nested_bonus": 16}, "complexity": 35, "correlation_key": "fp|dc1a396bc2d17c0bcab88b6e45d023b8b1bedcddca447d50dbfe9d978097c573"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/llama_pro.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `save_weight` has cognitive complexity 48 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=8, else=4, for=4, if=6, nested_bonus=24, ternary=2."}, "properties": {"repobilityId": 73779, "scanner": "repobility-threat-engine", "fingerprint": "ae83d9434c29bef2b87cc8bf624bace9235800a81154d7f1c1451bb74f41efa8", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 48 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "save_weight", "breakdown": {"if": 6, "for": 4, "elif": 8, "else": 4, "ternary": 2, "nested_bonus": 24}, "complexity": 48, "correlation_key": "fp|ae83d9434c29bef2b87cc8bf624bace9235800a81154d7f1c1451bb74f41efa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_qwen.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 73777, "scanner": "repobility-threat-engine", "fingerprint": "b4d270af85d500d6bb026f99680dc66b5892c3c1cff91fe55be55a98dffb7ffb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b4d270af85d500d6bb026f99680dc66b5892c3c1cff91fe55be55a98dffb7ffb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_qwen.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 73776, "scanner": "repobility-threat-engine", "fingerprint": "2e74e11901e7eddb2799f222eb98a4bcb719ba933f6eb739d57c662013311dd8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e74e11901e7eddb2799f222eb98a4bcb719ba933f6eb739d57c662013311dd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_baichuan2.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 73774, "scanner": "repobility-threat-engine", "fingerprint": "493978812337ccfe0971d5436d13de64b0bd26eadaab1fa7f014456013cae7de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "engine_args.update(model_args.vllm_config)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|493978812337ccfe0971d5436d13de64b0bd26eadaab1fa7f014456013cae7de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/vllm_engine.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 73773, "scanner": "repobility-threat-engine", "fingerprint": "b2a1e7cd9af45622a4bda6757ab310c6c62adb38e8bed7c09336ae3844379ea1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "engine_args.update(model_args.vllm_config)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b2a1e7cd9af45622a4bda6757ab310c6c62adb38e8bed7c09336ae3844379ea1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/vllm_infer.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 73772, "scanner": "repobility-threat-engine", "fingerprint": "5a782ab9761ef88889d2b9c933e57c6b7d8deef9f39159eef145930f577bc9db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "baichuan2_state_dict.update(shard_weight)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5a782ab9761ef88889d2b9c933e57c6b7d8deef9f39159eef145930f577bc9db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_baichuan2.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 73771, "scanner": "repobility-threat-engine", "fingerprint": "9c5c79f73f4a75e5deaa752b5d0f0cae39fe4b48e9c57412c86a99a3bd6c8a0c", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|42|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_qwen.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 73770, "scanner": "repobility-threat-engine", "fingerprint": "97fe1a8c177217715d9a6d70e2a87933d13c73ec839d46b7da148a57cdbc9dac", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|34|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_baichuan2.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 73769, "scanner": "repobility-threat-engine", "fingerprint": "429ed2775ff78c6e1d0399b6bfc49b8169467b47a06785383fd1ff1b801bd798", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "os.path.join(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|42|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_qwen.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 73768, "scanner": "repobility-threat-engine", "fingerprint": "d353ded200c29c338ecf3d77c5943e11cdc6484a6d5e00eb8fa45eca121605cd", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "os.path.join(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|34|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/convert_ckpt/llamafy_baichuan2.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`"}, "properties": {"repobilityId": 73763, "scanner": "repobility-supply-chain", "fingerprint": "e47a9dfed28929750b29855d4b95a197d29949eb7f37cefbecd6ddd99df9573f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e47a9dfed28929750b29855d4b95a197d29949eb7f37cefbecd6ddd99df9573f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 73762, "scanner": "repobility-supply-chain", "fingerprint": "40990bcd8693da16aebec0b88dfa35b1c2dc1af2f95aeb201043d3bb5fd131a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40990bcd8693da16aebec0b88dfa35b1c2dc1af2f95aeb201043d3bb5fd131a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 73761, "scanner": "repobility-supply-chain", "fingerprint": "fe1d7cba0e56f6009b029c934764888d48bf207ac88bb6e1114c3fc3b8e21fc9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe1d7cba0e56f6009b029c934764888d48bf207ac88bb6e1114c3fc3b8e21fc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 73759, "scanner": "repobility-supply-chain", "fingerprint": "782d9b9f9e9aa4e6e5cb05562bf6666cdf5eaeb592cc327c86c0983ccc2bbfc8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|782d9b9f9e9aa4e6e5cb05562bf6666cdf5eaeb592cc327c86c0983ccc2bbfc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 73758, "scanner": "repobility-supply-chain", "fingerprint": "17c5658ee07fae5f0271f2bca934fa18eab828db1ee0babe2d76206b70f3e8c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|17c5658ee07fae5f0271f2bca934fa18eab828db1ee0babe2d76206b70f3e8c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 73757, "scanner": "repobility-supply-chain", "fingerprint": "8ddbe91b73abfc0a6075d4356d95b18f2852552ae8132638881386a9c2a11b11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ddbe91b73abfc0a6075d4356d95b18f2852552ae8132638881386a9c2a11b11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/deploy-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 73756, "scanner": "repobility-supply-chain", "fingerprint": "5e61a61e3860b968c5b8c0df77e204290f7083ebfb3d3f32adb2900e32fc8121", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e61a61e3860b968c5b8c0df77e204290f7083ebfb3d3f32adb2900e32fc8121"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-pages-artifact` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 73755, "scanner": "repobility-supply-chain", "fingerprint": "7a544fd5af99c42e1ab12a100b7002447d6c4963bfe3976c2196f2dc731df190", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a544fd5af99c42e1ab12a100b7002447d6c4963bfe3976c2196f2dc731df190"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/configure-pages` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 73754, "scanner": "repobility-supply-chain", "fingerprint": "4c9bb713f1d2eebce25be144d01ef3a3d528f46ccc5ccfc48a2ae0b9dcebdd09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c9bb713f1d2eebce25be144d01ef3a3d528f46ccc5ccfc48a2ae0b9dcebdd09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 73753, "scanner": "repobility-supply-chain", "fingerprint": "59f60183e6c14915c831675993f8a8434d1b8a5e57776f1e05dd8650306bd5ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59f60183e6c14915c831675993f8a8434d1b8a5e57776f1e05dd8650306bd5ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 73752, "scanner": "repobility-supply-chain", "fingerprint": "3fc1c6e0288b70ee0aa48a85857128da46a2ba0b64181940bba5ad57195d6360", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3fc1c6e0288b70ee0aa48a85857128da46a2ba0b64181940bba5ad57195d6360"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `ascendai/cann:9.0.0-910b-ubuntu22.04-py3.11` unpinned"}, "properties": {"repobilityId": 73751, "scanner": "repobility-supply-chain", "fingerprint": "036b4a76e84fd35f5b11bf4a8bcadf2056e145a9634c2e1d1aa07ad01a9a0322", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|036b4a76e84fd35f5b11bf4a8bcadf2056e145a9634c2e1d1aa07ad01a9a0322"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_npu.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 73749, "scanner": "repobility-supply-chain", "fingerprint": "ea100d85dc0643985634fc52048e881b3110454d8156b0e24434456b0acc0205", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea100d85dc0643985634fc52048e881b3110454d8156b0e24434456b0acc0205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_npu.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 73748, "scanner": "repobility-supply-chain", "fingerprint": "24950a006f0973fd570869bb5f2e99f91cedfa1e514e0c8547f227be64166a0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24950a006f0973fd570869bb5f2e99f91cedfa1e514e0c8547f227be64166a0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_npu.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 73745, "scanner": "repobility-supply-chain", "fingerprint": "86e60ff5b0adf3d149b52db99c783c7e7a253d9bd1c5f3e2c239a62093b902f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86e60ff5b0adf3d149b52db99c783c7e7a253d9bd1c5f3e2c239a62093b902f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `jlumbroso/free-disk-space` pinned to mutable ref `@v1.3.1`"}, "properties": {"repobilityId": 73744, "scanner": "repobility-supply-chain", "fingerprint": "f3045e99e0efd51aa0dc97954901db41882676bfa192b4eca7717e2b9cb2d843", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3045e99e0efd51aa0dc97954901db41882676bfa192b4eca7717e2b9cb2d843"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 73742, "scanner": "repobility-supply-chain", "fingerprint": "87711890447edb2e9653bdc33ced30d7e2d4eb081c116e89746c549ecb792638", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|87711890447edb2e9653bdc33ced30d7e2d4eb081c116e89746c549ecb792638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_cuda.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 73741, "scanner": "repobility-supply-chain", "fingerprint": "35d4c412af9d7779e8ee348f1efd98a8924e913b947374f7c63af429bc689b15", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35d4c412af9d7779e8ee348f1efd98a8924e913b947374f7c63af429bc689b15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_cuda.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `pytorch/pytorch:2.6.0-cuda12.4-cudnn9-devel` not pinned by digest"}, "properties": {"repobilityId": 73740, "scanner": "repobility-supply-chain", "fingerprint": "37cc642192558060c8791df480964885aabbba62f1350bd727a465ce64f75dd8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37cc642192558060c8791df480964885aabbba62f1350bd727a465ce64f75dd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.base"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvcr.io/nvidia/pytorch:25.06-py3` not pinned by digest"}, "properties": {"repobilityId": 73739, "scanner": "repobility-supply-chain", "fingerprint": "9fd3a2998db2be397000052f4f7e812b44927ab5f98cc1446ef0e015e96b6437", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fd3a2998db2be397000052f4f7e812b44927ab5f98cc1446ef0e015e96b6437"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-cuda/Dockerfile.megatron"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.13.2`"}, "properties": {"repobilityId": 73738, "scanner": "repobility-supply-chain", "fingerprint": "eea4c5895be28cc8ed1d850fae4ba34e245b85f9fcddd584cc6dc02d487eef38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eea4c5895be28cc8ed1d850fae4ba34e245b85f9fcddd584cc6dc02d487eef38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/asottile/pyupgrade` pinned to mutable rev `v3.20.0`"}, "properties": {"repobilityId": 73737, "scanner": "repobility-supply-chain", "fingerprint": "6e9c6cb3204473bf179a148bfc454bd9cee011f5ef561b6445ced9a5c46d488d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e9c6cb3204473bf179a148bfc454bd9cee011f5ef561b6445ced9a5c46d488d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`"}, "properties": {"repobilityId": 73736, "scanner": "repobility-supply-chain", "fingerprint": "7d6eb8afb666cf3c56fa0abc46036bcc52e657a57a1a639516377b0302928728", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d6eb8afb666cf3c56fa0abc46036bcc52e657a57a1a639516377b0302928728"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /v1/score/evaluation has no auth"}, "properties": {"repobilityId": 73735, "scanner": "repobility-route-auth", "fingerprint": "d0da5c78078efbabab0878836974e030c79d13b0c53c406c0212248400d70731", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|d0da5c78078efbabab0878836974e030c79d13b0c53c406c0212248400d70731"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/api/app.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /v1/chat/completions has no auth"}, "properties": {"repobilityId": 73734, "scanner": "repobility-route-auth", "fingerprint": "db0b8f65e9910db1618eac7b0ae2bf78ecc2d2b5e19a8bcfdafa8117d638e40c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|db0b8f65e9910db1618eac7b0ae2bf78ecc2d2b5e19a8bcfdafa8117d638e40c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/api/app.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.post` inside async function `_generate`"}, "properties": {"repobilityId": 73725, "scanner": "repobility-ast-engine", "fingerprint": "f8fbcb418a98d32d6a8ed13dca52a0fd92a10ed37ad7d9b4caa4364630f58e83", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f8fbcb418a98d32d6a8ed13dca52a0fd92a10ed37ad7d9b4caa4364630f58e83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/chat/sglang_engine.py"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.use_rslora` used but never assigned in __init__"}, "properties": {"repobilityId": 73713, "scanner": "repobility-ast-engine", "fingerprint": "723122ee584f0a8492c11ddc3993362f75fbfd9239c4bf0b077f113c4bd18bc6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|723122ee584f0a8492c11ddc3993362f75fbfd9239c4bf0b077f113c4bd18bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 608}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.pissa_init` used but never assigned in __init__"}, "properties": {"repobilityId": 73712, "scanner": "repobility-ast-engine", "fingerprint": "505124e36e5d421f5dda7e612d8f488abfdae2a3308e7eac2c26c0a9065f9d6b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|505124e36e5d421f5dda7e612d8f488abfdae2a3308e7eac2c26c0a9065f9d6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 601}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.reward_model_quantization_bit` used but never assigned in __init__"}, "properties": {"repobilityId": 73711, "scanner": "repobility-ast-engine", "fingerprint": "c2aa05becea9715a95a6bd24a7aabca576fa47adb45455e77cba73444c8d074f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c2aa05becea9715a95a6bd24a7aabca576fa47adb45455e77cba73444c8d074f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 578}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ref_model_quantization_bit` used but never assigned in __init__"}, "properties": {"repobilityId": 73710, "scanner": "repobility-ast-engine", "fingerprint": "abea8ecefcc2ba8053a36cb59e60c392317e19f820936b3ef411e86a51b051bc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|abea8ecefcc2ba8053a36cb59e60c392317e19f820936b3ef411e86a51b051bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 577}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.use_ref_model` used but never assigned in __init__"}, "properties": {"repobilityId": 73709, "scanner": "repobility-ast-engine", "fingerprint": "a90f169d3d21eb9dedb8d4415e8465df76ab3515432c78723106e244f3bc7427", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a90f169d3d21eb9dedb8d4415e8465df76ab3515432c78723106e244f3bc7427"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 574}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.apollo_target` used but never assigned in __init__"}, "properties": {"repobilityId": 73708, "scanner": "repobility-ast-engine", "fingerprint": "993fea471e62752f03a700559af5e7f74d8a9a8265e6abf59c56c5e7dd57e41c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|993fea471e62752f03a700559af5e7f74d8a9a8265e6abf59c56c5e7dd57e41c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 573}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.galore_target` used but never assigned in __init__"}, "properties": {"repobilityId": 73707, "scanner": "repobility-ast-engine", "fingerprint": "212da45fcfa8827bd6051128c26b60c5d15c95b26e4564e363e675e7c344c964", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|212da45fcfa8827bd6051128c26b60c5d15c95b26e4564e363e675e7c344c964"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 572}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.additional_target` used but never assigned in __init__"}, "properties": {"repobilityId": 73706, "scanner": "repobility-ast-engine", "fingerprint": "ec96b4f789c3c6de2ed6b20ade69c29afad5885c60f3c78a5bf5e1e47c115f3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec96b4f789c3c6de2ed6b20ade69c29afad5885c60f3c78a5bf5e1e47c115f3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 571}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.oft_target` used but never assigned in __init__"}, "properties": {"repobilityId": 73705, "scanner": "repobility-ast-engine", "fingerprint": "d74e0d75073afd259a942087def66049e6b994995b1ddab1387d6f7018ea39a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d74e0d75073afd259a942087def66049e6b994995b1ddab1387d6f7018ea39a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 570}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.lora_target` used but never assigned in __init__"}, "properties": {"repobilityId": 73704, "scanner": "repobility-ast-engine", "fingerprint": "c68f13d9afb5887c605758e9f74a713bdf5046d75b49af3d7583310f618c8ad2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c68f13d9afb5887c605758e9f74a713bdf5046d75b49af3d7583310f618c8ad2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 569}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.lora_alpha` used but never assigned in __init__"}, "properties": {"repobilityId": 73703, "scanner": "repobility-ast-engine", "fingerprint": "8671e5c15f5bdc52d77d66d66093a9b0bd65f77c949109b7cacbc2dbb8c197fa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8671e5c15f5bdc52d77d66d66093a9b0bd65f77c949109b7cacbc2dbb8c197fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 568}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.freeze_extra_modules` used but never assigned in __init__"}, "properties": {"repobilityId": 73702, "scanner": "repobility-ast-engine", "fingerprint": "1cf9bc945c2af940ac2e75ca88d8be4b9607bb28e0c23611b9de2b829a9f1fa5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1cf9bc945c2af940ac2e75ca88d8be4b9607bb28e0c23611b9de2b829a9f1fa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 567}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.freeze_trainable_modules` used but never assigned in __init__"}, "properties": {"repobilityId": 73701, "scanner": "repobility-ast-engine", "fingerprint": "c9833684246bec88f35c62acfe8395e2d4d5adb6b32432ea0d2e02b9d39b8b00", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9833684246bec88f35c62acfe8395e2d4d5adb6b32432ea0d2e02b9d39b8b00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/finetuning_args.py"}, "region": {"startLine": 566}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.use_ray` used but never assigned in __init__"}, "properties": {"repobilityId": 73700, "scanner": "repobility-ast-engine", "fingerprint": "8929c39ef5e77f57536fe7632b2d9f7b4f0ff8ae94d8c07e5692c91dc8c85c2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8929c39ef5e77f57536fe7632b2d9f7b4f0ff8ae94d8c07e5692c91dc8c85c2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/llamafactory/hparams/training_args.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_phi4_template"}, "properties": {"repobilityId": 73699, "scanner": "repobility-ast-engine", "fingerprint": "7123cba6c7846291a88736ad09bb08b167e5ccf413bc898a4db65f554ed2e1b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7123cba6c7846291a88736ad09bb08b167e5ccf413bc898a4db65f554ed2e1b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 308}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_llama4_template"}, "properties": {"repobilityId": 73698, "scanner": "repobility-ast-engine", "fingerprint": "d3b667fd29d403c63d94d49fb221c4764d37ee361b0006dbffd13092ac026686", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d3b667fd29d403c63d94d49fb221c4764d37ee361b0006dbffd13092ac026686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 296}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_llama3_template"}, "properties": {"repobilityId": 73697, "scanner": "repobility-ast-engine", "fingerprint": "3cfe237c84100ac960b78c450f21cca092077dfc9c63c740ecf077265fc0c3ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3cfe237c84100ac960b78c450f21cca092077dfc9c63c740ecf077265fc0c3ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 284}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_gemma2_template"}, "properties": {"repobilityId": 73696, "scanner": "repobility-ast-engine", "fingerprint": "6c6c9c894f0a9b233a1a60747abf0f7a6d53a283f05ae6fac408d99cbf798bb8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c6c9c894f0a9b233a1a60747abf0f7a6d53a283f05ae6fac408d99cbf798bb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_gemma_template"}, "properties": {"repobilityId": 73695, "scanner": "repobility-ast-engine", "fingerprint": "3d974196025b70cb36fa969becada73b0f31aa034544e4320d70d2b0836f5c08", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d974196025b70cb36fa969becada73b0f31aa034544e4320d70d2b0836f5c08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_reasoning_encode_multiturn_discarding_history_cot"}, "properties": {"repobilityId": 73694, "scanner": "repobility-ast-engine", "fingerprint": "50e1e7a6e051ccefdd944dc3bdda50fa020ff3bd75b517b0650abc69b33c492b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|50e1e7a6e051ccefdd944dc3bdda50fa020ff3bd75b517b0650abc69b33c492b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_reasoning_encode_multiturn"}, "properties": {"repobilityId": 73693, "scanner": "repobility-ast-engine", "fingerprint": "e90c632f169fa68d72bcca1b8ca753543c3f1e8d855d1fddb33db73872f0d9b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e90c632f169fa68d72bcca1b8ca753543c3f1e8d855d1fddb33db73872f0d9b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_reasoning_encode_oneturn"}, "properties": {"repobilityId": 73692, "scanner": "repobility-ast-engine", "fingerprint": "556ed5d02efbd185c81252e5f9563c77305c6ef1e77a614b1918d7a8884dd702", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|556ed5d02efbd185c81252e5f9563c77305c6ef1e77a614b1918d7a8884dd702"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_encode_multiturn"}, "properties": {"repobilityId": 73691, "scanner": "repobility-ast-engine", "fingerprint": "e86a0a116ce45222a8a8fefed13feb98aa9b1f983ced49395062a0f2a3fb4d52", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e86a0a116ce45222a8a8fefed13feb98aa9b1f983ced49395062a0f2a3fb4d52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_encode_oneturn"}, "properties": {"repobilityId": 73690, "scanner": "repobility-ast-engine", "fingerprint": "6b3d20e1cc58e414d2da192b342640ccd9c58f2ac5f31cb5eda9c22f40d28803", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b3d20e1cc58e414d2da192b342640ccd9c58f2ac5f31cb5eda9c22f40d28803"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_template.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_video_llava_plugin"}, "properties": {"repobilityId": 73688, "scanner": "repobility-ast-engine", "fingerprint": "22afa8cd4a7655f6f5619ac1ecbee2152bb402895971d2193d11c469c249675e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22afa8cd4a7655f6f5619ac1ecbee2152bb402895971d2193d11c469c249675e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 478}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_qwen3_vl_plugin"}, "properties": {"repobilityId": 73687, "scanner": "repobility-ast-engine", "fingerprint": "3fa7e02fe2cf4694cb67599b17ca95c123f23d35c86cd20fa06da472621424ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3fa7e02fe2cf4694cb67599b17ca95c123f23d35c86cd20fa06da472621424ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 422}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_qwen2_vl_plugin"}, "properties": {"repobilityId": 73686, "scanner": "repobility-ast-engine", "fingerprint": "21728ed2d027153638bd7c63e91c24fb7e5caaccabdd8898dc0d4b4e325cd196", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21728ed2d027153638bd7c63e91c24fb7e5caaccabdd8898dc0d4b4e325cd196"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 404}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_qwen2_omni_plugin"}, "properties": {"repobilityId": 73685, "scanner": "repobility-ast-engine", "fingerprint": "dabd721a751d049605b9b3ec767933b1f5cd483003a2cfe71f198c8b43f31a4f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dabd721a751d049605b9b3ec767933b1f5cd483003a2cfe71f198c8b43f31a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_pixtral_plugin"}, "properties": {"repobilityId": 73684, "scanner": "repobility-ast-engine", "fingerprint": "c7e3d01f101bcd0a1317d06d8d7498ed7c3972505fd5d8f173715f2ad9318a33", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c7e3d01f101bcd0a1317d06d8d7498ed7c3972505fd5d8f173715f2ad9318a33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_paligemma_plugin"}, "properties": {"repobilityId": 73683, "scanner": "repobility-ast-engine", "fingerprint": "e4c92b0cd73280f99cf9af7767ebe46dc0ea29651e2bbdb2aac30d41ae4ec10b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e4c92b0cd73280f99cf9af7767ebe46dc0ea29651e2bbdb2aac30d41ae4ec10b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 331}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_llava_next_video_plugin"}, "properties": {"repobilityId": 73682, "scanner": "repobility-ast-engine", "fingerprint": "5b8056daaa8c68e4222e1457bd1cee40892610cc84c979ed706a68439cb58ea6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b8056daaa8c68e4222e1457bd1cee40892610cc84c979ed706a68439cb58ea6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_llava_next_plugin"}, "properties": {"repobilityId": 73681, "scanner": "repobility-ast-engine", "fingerprint": "251762012edd128ec546b934c27b5f08e9b842918184c6fac1b059e724d32067", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|251762012edd128ec546b934c27b5f08e9b842918184c6fac1b059e724d32067"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_llava_plugin"}, "properties": {"repobilityId": 73680, "scanner": "repobility-ast-engine", "fingerprint": "f831a5d7d2d3ab65904678a8363c7e664e3b645c9012eefb8bb85a77f0d8d025", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f831a5d7d2d3ab65904678a8363c7e664e3b645c9012eefb8bb85a77f0d8d025"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 288}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_llama4_plugin"}, "properties": {"repobilityId": 73679, "scanner": "repobility-ast-engine", "fingerprint": "1a1b76cbe4ae60b2f4a3f2f27b293db9e9dedc147f3fc3d3ff1a31a06c2e0845", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1a1b76cbe4ae60b2f4a3f2f27b293db9e9dedc147f3fc3d3ff1a31a06c2e0845"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_internvl_plugin"}, "properties": {"repobilityId": 73678, "scanner": "repobility-ast-engine", "fingerprint": "176bafb97914ee8aae56b6b207299ee5b4c029713dc5607c1db67e138ee25663", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|176bafb97914ee8aae56b6b207299ee5b4c029713dc5607c1db67e138ee25663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_gemma4_plugin"}, "properties": {"repobilityId": 73677, "scanner": "repobility-ast-engine", "fingerprint": "636215453a21f31ecf1bd4c97427f4a659a17f695ac90b0964886f7c4afc416e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|636215453a21f31ecf1bd4c97427f4a659a17f695ac90b0964886f7c4afc416e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_gemma3_plugin"}, "properties": {"repobilityId": 73676, "scanner": "repobility-ast-engine", "fingerprint": "c3a133dcb698b7eee8e48cdb9e07c9de87348113de1ce1182def9b7920609a32", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3a133dcb698b7eee8e48cdb9e07c9de87348113de1ce1182def9b7920609a32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_base_plugin"}, "properties": {"repobilityId": 73675, "scanner": "repobility-ast-engine", "fingerprint": "2ad8bfb0b8f37314302c251f773ce4459130c1650ebbea502b1ada819e122df1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ad8bfb0b8f37314302c251f773ce4459130c1650ebbea502b1ada819e122df1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/data/test_mm_plugin.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_chat"}, "properties": {"repobilityId": 73674, "scanner": "repobility-ast-engine", "fingerprint": "5ee09479ab2ed4d90e7ff5872c0772c58b09f899334e3a493948c81709b77580", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5ee09479ab2ed4d90e7ff5872c0772c58b09f899334e3a493948c81709b77580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/test_sglang.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_rope_func` used but never assigned in __init__"}, "properties": {"repobilityId": 73673, "scanner": "repobility-ast-engine", "fingerprint": "fa6fac4b140d47121779d207e04fbc1ac279cb679a0aff5205990511dce779ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa6fac4b140d47121779d207e04fbc1ac279cb679a0aff5205990511dce779ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_rope_func` used but never assigned in __init__"}, "properties": {"repobilityId": 73672, "scanner": "repobility-ast-engine", "fingerprint": "fe1c5b424367e379552a51e87f9032b34b149fb0e6694e70774e2b7edca96d91", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe1c5b424367e379552a51e87f9032b34b149fb0e6694e70774e2b7edca96d91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.model` used but never assigned in __init__"}, "properties": {"repobilityId": 73671, "scanner": "repobility-ast-engine", "fingerprint": "e63e86f958ec7cf8d572b91a41e7c80b2efd1827cad178425f7ff6014fd31865", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e63e86f958ec7cf8d572b91a41e7c80b2efd1827cad178425f7ff6014fd31865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.model` used but never assigned in __init__"}, "properties": {"repobilityId": 73670, "scanner": "repobility-ast-engine", "fingerprint": "fce3e1439b76aa46e84569d394717de9befc72393c4d650167aa4c195fa480bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fce3e1439b76aa46e84569d394717de9befc72393c4d650167aa4c195fa480bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_rope_func` used but never assigned in __init__"}, "properties": {"repobilityId": 73669, "scanner": "repobility-ast-engine", "fingerprint": "60e58022129a29ca59142a0fb559a5725cb22c73283348f546c86c42c8a8e459", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|60e58022129a29ca59142a0fb559a5725cb22c73283348f546c86c42c8a8e459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_rope_func` used but never assigned in __init__"}, "properties": {"repobilityId": 73668, "scanner": "repobility-ast-engine", "fingerprint": "c2e7db7c59bfd5df8b68b26fbcd91fa82e7bee7e9ef11d121d347ed3d949f61b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c2e7db7c59bfd5df8b68b26fbcd91fa82e7bee7e9ef11d121d347ed3d949f61b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.model` used but never assigned in __init__"}, "properties": {"repobilityId": 73667, "scanner": "repobility-ast-engine", "fingerprint": "2afed37b6d3c49d9760cc5385b310fc090946d64c20529a165b4c97dcbba9d92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2afed37b6d3c49d9760cc5385b310fc090946d64c20529a165b4c97dcbba9d92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.model` used but never assigned in __init__"}, "properties": {"repobilityId": 73666, "scanner": "repobility-ast-engine", "fingerprint": "f7a07dc4690dbae8d18096deb07077004a2cda65afe318856904b4cfab9e3887", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f7a07dc4690dbae8d18096deb07077004a2cda65afe318856904b4cfab9e3887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_rope_func` used but never assigned in __init__"}, "properties": {"repobilityId": 73665, "scanner": "repobility-ast-engine", "fingerprint": "775df457b9676ca93b5adbe95d659d4044b33288e070aec1890ce17fa71d5a3e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|775df457b9676ca93b5adbe95d659d4044b33288e070aec1890ce17fa71d5a3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.model` used but never assigned in __init__"}, "properties": {"repobilityId": 73664, "scanner": "repobility-ast-engine", "fingerprint": "c58455f8684ff3cd807eba59ac92135e321f65c231cba078c56522528cd3b178", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c58455f8684ff3cd807eba59ac92135e321f65c231cba078c56522528cd3b178"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.model` used but never assigned in __init__"}, "properties": {"repobilityId": 73663, "scanner": "repobility-ast-engine", "fingerprint": "396f11d1cfe2808e5544ba707c2588995a47081aeaf1cdb415566b279c9e79d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|396f11d1cfe2808e5544ba707c2588995a47081aeaf1cdb415566b279c9e79d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench_qwen.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 73872, "scanner": "gitleaks", "fingerprint": "4f3dbf0d0ed31ea3c109425c3b8cbdcc52ca11eb92c6a9d534d0b97f4733d800", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "password: <redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|723|password: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data/glaive_toolcall_en_demo.json"}, "region": {"startLine": 7236}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 73871, "scanner": "gitleaks", "fingerprint": "5ab790b0b310ebccf340213bebb4b3ab5695cda0efb4abda52998005d068b162", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "password: <redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|529|password: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data/glaive_toolcall_en_demo.json"}, "region": {"startLine": 5293}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 73760, "scanner": "repobility-supply-chain", "fingerprint": "38c98f97ca04d9c3f99926481e2673551bcf0b2c0e9ecb7697251f09671b7b8f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38c98f97ca04d9c3f99926481e2673551bcf0b2c0e9ecb7697251f09671b7b8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 73750, "scanner": "repobility-supply-chain", "fingerprint": "7ed05a555e50c42562cb67e46be9b520f04163b3058db8d77340ff15bb75d015", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ed05a555e50c42562cb67e46be9b520f04163b3058db8d77340ff15bb75d015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_npu.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.QUAY_ASCEND_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 73747, "scanner": "repobility-supply-chain", "fingerprint": "921b57094ad98afb1360af65839bd716a49704eae328456ce6df8d612b065550", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|921b57094ad98afb1360af65839bd716a49704eae328456ce6df8d612b065550"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 73746, "scanner": "repobility-supply-chain", "fingerprint": "bdc7c86b09dc150465ec675c76f2eb97770902bd697fcc385f06cb23e00ea505", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bdc7c86b09dc150465ec675c76f2eb97770902bd697fcc385f06cb23e00ea505"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 73743, "scanner": "repobility-supply-chain", "fingerprint": "159cf40475f6eca511474b9a82ca993b2e948de4fd4a10f3dadd0d4b084f018b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|159cf40475f6eca511474b9a82ca993b2e948de4fd4a10f3dadd0d4b084f018b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_cuda.yml"}, "region": {"startLine": 41}}}]}]}]}