{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 50 more): Same pattern found in 50 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 50 more): Same pattern found in 50 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 11 more): Same pattern found in 11 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 7 more): Same pattern found in 7 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 47 more): Same pattern found in 47 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED039", "name": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path.", "shortDescription": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1179"}, "properties": {"repository": "ubugeeei-prod/vize", "repoUrl": "https://github.com/ubugeeei-prod/vize", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 118379, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 118378, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 118373, "scanner": "repobility-agent-runtime", "fingerprint": "bc8aa9e4ec37b423a3a480acc608b4ff208e6460ff1f18839df67eae55eb1da6", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|bc8aa9e4ec37b423a3a480acc608b4ff208e6460ff1f18839df67eae55eb1da6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/src/shared/presets/crossfile-reference-escape.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 118372, "scanner": "repobility-agent-runtime", "fingerprint": "42837e17897666cea9ae328327db387f4b4d0c9478bfffcd5f01222e59cd7004", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|42837e17897666cea9ae328327db387f4b4d0c9478bfffcd5f01222e59cd7004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/content/getting-started.md"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 118341, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7074e02d8314b5f72dd6869a321d393541952c6049dac9913410fb314f1cf60", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "alt", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|f7074e02d8314b5f72dd6869a321d393541952c6049dac9913410fb314f1cf60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_patina/src/rules/vue/a11y_img_alt.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 118330, "scanner": "repobility-threat-engine", "fingerprint": "3c690a15e03d4cb54e242061e2011ae34df6db60d7b1af9c6ac29d0e3198dde5", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"${escapeHtml(v.helpUrl)}\" target=\"_blank\" style=\"color:#60a5fa\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|69|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/a11y/report.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 118323, "scanner": "repobility-threat-engine", "fingerprint": "cab6a9f5d3ff36afee81a0f4acff62d3980546ccad930bce2e0d9281a9c9f885", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2)}`,\n    isActive: isActiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cab6a9f5d3ff36afee81a0f4acff62d3980546ccad930bce2e0d9281a9c9f885"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/fresco/src/composables/useFocus.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 118322, "scanner": "repobility-threat-engine", "fingerprint": "8a2e98908e7dd8bd18cc92d6fd4b79693590d585bb666e4758f0b730c345998d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8a2e98908e7dd8bd18cc92d6fd4b79693590d585bb666e4758f0b730c345998d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/fresco/src/composables/useBoxMetrics.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 118286, "scanner": "repobility-threat-engine", "fingerprint": "59279c6fb73a08447101e41ad3c7bece5d3fd581aa2bd3d4886a9c4a8437e274", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|53|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/cli/utils.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 118285, "scanner": "repobility-threat-engine", "fingerprint": "741596bb729d9d1d9da87340d3b035670b751e2fe5a19b0d1d91ff0bc9b49f1f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|12|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/oxlint-plugin-vize/src/sfc-blocks.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 118284, "scanner": "repobility-threat-engine", "fingerprint": "4985f4f56ad51f8881f28f02484ab43f0fb35ebdc3455e1a93802374a9f15874", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|bench/test-inventory.mjs|200|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/test-inventory.mjs"}, "region": {"startLine": 200}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 118377, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 118376, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 118375, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 118374, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118371, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da81e5a678e46a12e273b7bbfc4f34be89adc6b2af1e2575e99d3d6adf3ebecd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_sfc/src/script/context/props.rs", "duplicate_line": 6, "correlation_key": "fp|da81e5a678e46a12e273b7bbfc4f34be89adc6b2af1e2575e99d3d6adf3ebecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_croquis/src/types.rs"}, "region": {"startLine": 206}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118370, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c06ebf4c4224dd660d3cad6fcd5f3d59c1461fde7e0c973f4748d75b489439c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_croquis/src/script_parser/walk/expressions.rs", "duplicate_line": 40, "correlation_key": "fp|c06ebf4c4224dd660d3cad6fcd5f3d59c1461fde7e0c973f4748d75b489439c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_croquis/src/script_parser/walk/statements.rs"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118369, "scanner": "repobility-ai-code-hygiene", "fingerprint": "320415cb05a0dca132f0e731c1c57bec7ab6085950e9374d5f3583f0a2e5cb0d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_croquis/src/display.rs", "duplicate_line": 116, "correlation_key": "fp|320415cb05a0dca132f0e731c1c57bec7ab6085950e9374d5f3583f0a2e5cb0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_croquis/src/scope/types.rs"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118368, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f102fdd88771f826fd3bf52e686e03aa500076721b6ca20885a1829bbc0a487", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_carton/src/flags.rs", "duplicate_line": 3, "correlation_key": "fp|8f102fdd88771f826fd3bf52e686e03aa500076721b6ca20885a1829bbc0a487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_croquis/src/hoist.rs"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118367, "scanner": "repobility-ai-code-hygiene", "fingerprint": "13895a3a90db20b813a526a46c83036d7eb5b8840c07593bb6922bbca7a4f913", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_canon/src/virtual_ts/props.rs", "duplicate_line": 583, "correlation_key": "fp|13895a3a90db20b813a526a46c83036d7eb5b8840c07593bb6922bbca7a4f913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_croquis/src/declaration_ts.rs"}, "region": {"startLine": 310}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118366, "scanner": "repobility-ai-code-hygiene", "fingerprint": "82b2f22d382223195758c79f25e126f7bc922d8c0e3f362b85856c07884b6b79", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/transform/directive.rs", "duplicate_line": 423, "correlation_key": "fp|82b2f22d382223195758c79f25e126f7bc922d8c0e3f362b85856c07884b6b79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_carton/src/general.rs"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118365, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b98b230b50a955073baed5b5d9d7c42d07a1b610d94f7e612dab229125537b16", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_sfc/src/compile_script/function_mode/helpers.rs", "duplicate_line": 12, "correlation_key": "fp|b98b230b50a955073baed5b5d9d7c42d07a1b610d94f7e612dab229125537b16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_canon/src/virtual_ts/helpers.rs"}, "region": {"startLine": 247}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118364, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fde8747f4dc8d4fa9ab28f79de4a733ae937321f0f66dbac1bcc910ffd2f633", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_canon/src/sfc_typecheck/runner.rs", "duplicate_line": 55, "correlation_key": "fp|3fde8747f4dc8d4fa9ab28f79de4a733ae937321f0f66dbac1bcc910ffd2f633"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_canon/src/typecheck_service.rs"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118363, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35ae5f7cf8dbfe934013620e95f3d6a134d23e139d9a9cecad9dc2998e5c8f76", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/transforms/transform_slot.rs", "duplicate_line": 165, "correlation_key": "fp|35ae5f7cf8dbfe934013620e95f3d6a134d23e139d9a9cecad9dc2998e5c8f76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/transforms/v_on.rs"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118362, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9174ee5eb49b5d03d783a421481989e5840fecc0fcdc17d2d4daee7b98c12ed2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/transforms/transform_slot.rs", "duplicate_line": 159, "correlation_key": "fp|9174ee5eb49b5d03d783a421481989e5840fecc0fcdc17d2d4daee7b98c12ed2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/transforms/v_if.rs"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118361, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4662b324d946d2d21404c767bbead0ad7ac57ae3a816e278ca376d4077e8146e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/transforms/transform_slot.rs", "duplicate_line": 159, "correlation_key": "fp|4662b324d946d2d21404c767bbead0ad7ac57ae3a816e278ca376d4077e8146e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/transforms/v_for.rs"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118360, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5daebd920527fd9acd5b44b07737d2c4a1d323e0b684449b491e47dde1efc4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/transform.rs", "duplicate_line": 95, "correlation_key": "fp|d5daebd920527fd9acd5b44b07737d2c4a1d323e0b684449b491e47dde1efc4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/transform/text.rs"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118359, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5a3739a1b1449ff0d78f4c375d2e66444151a91ad55e660ab3b4d22fc81431d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/transform/element.rs", "duplicate_line": 91, "correlation_key": "fp|c5a3739a1b1449ff0d78f4c375d2e66444151a91ad55e660ab3b4d22fc81431d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/transform/element/deferred.rs"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118358, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e3f385fdab679b584178e2be562b3c177fe810a25cd23558086f5ae36e05736", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/transform/element.rs", "duplicate_line": 118, "correlation_key": "fp|1e3f385fdab679b584178e2be562b3c177fe810a25cd23558086f5ae36e05736"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/transform/element/component.rs"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118357, "scanner": "repobility-ai-code-hygiene", "fingerprint": "685f26d3ff65a1571f1eb8b5809308f2946d58a6ca08b830d486c390d9c31037", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_ssr/src/lib.rs", "duplicate_line": 94, "correlation_key": "fp|685f26d3ff65a1571f1eb8b5809308f2946d58a6ca08b830d486c390d9c31037"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/lib.rs"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118356, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea1ad37c8fc966fc57f6ae8865d9db3218f1ca40bc27c37de20bd49ef5602b9d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/generators/component.rs", "duplicate_line": 11, "correlation_key": "fp|ea1ad37c8fc966fc57f6ae8865d9db3218f1ca40bc27c37de20bd49ef5602b9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/generators/generate_slot.rs"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118355, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c84cd074e54b420849259da63ab523ef8757a3c9f299ee93db646793ef450c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/generate/operations/directives.rs", "duplicate_line": 41, "correlation_key": "fp|6c84cd074e54b420849259da63ab523ef8757a3c9f299ee93db646793ef450c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/generators/directive.rs"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118354, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f09332a362a28025a95fdadd3ce1f97c96ff0ff3eb5f24f710b5f1ac2e6de3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_vapor/src/generate/helpers.rs", "duplicate_line": 108, "correlation_key": "fp|2f09332a362a28025a95fdadd3ce1f97c96ff0ff3eb5f24f710b5f1ac2e6de3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/generate/operations/dom.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118353, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d9e0183208b1192fe120563bf786ca8a3d9cd6400ef7f224f59c919ca0ccfab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_core/src/transforms/transform_expression/collector.rs", "duplicate_line": 256, "correlation_key": "fp|3d9e0183208b1192fe120563bf786ca8a3d9cd6400ef7f224f59c919ca0ccfab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/generate/expression.rs"}, "region": {"startLine": 203}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118352, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd9e80e629388506951e40ede17805122c84e398dca7142ed48020a651cccc09", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_sfc/src/vite_plugin/resolver.rs", "duplicate_line": 248, "correlation_key": "fp|bd9e80e629388506951e40ede17805122c84e398dca7142ed48020a651cccc09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/vite_plugin/transform.rs"}, "region": {"startLine": 186}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118351, "scanner": "repobility-ai-code-hygiene", "fingerprint": "941a2de91b388469bee3c1385f766f061b14dd89e1a1d6c00db4e4cfc63c2f5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_sfc/src/css/scoped.rs", "duplicate_line": 167, "correlation_key": "fp|941a2de91b388469bee3c1385f766f061b14dd89e1a1d6c00db4e4cfc63c2f5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/style.rs"}, "region": {"startLine": 228}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118350, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8210d6eb4802570d6fbe9b8300ee5d38bd8cf804502b85e79605f2eb6b94982e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_core/src/transforms/transform_expression/collector.rs", "duplicate_line": 96, "correlation_key": "fp|8210d6eb4802570d6fbe9b8300ee5d38bd8cf804502b85e79605f2eb6b94982e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/script/import_usage_check.rs"}, "region": {"startLine": 250}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118349, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66b67d5ee7bb74662261a4a64da6e9f93fd5a5125470c8668d90c6e291ce7c2c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_sfc/src/script/define_expose.rs", "duplicate_line": 7, "correlation_key": "fp|66b67d5ee7bb74662261a4a64da6e9f93fd5a5125470c8668d90c6e291ce7c2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/script/define_slots.rs"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118348, "scanner": "repobility-ai-code-hygiene", "fingerprint": "594429418b0b0859bb14e3ccb758d4331aa56221f0120a9550b7910927898909", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_sfc/src/script/define_expose.rs", "duplicate_line": 7, "correlation_key": "fp|594429418b0b0859bb14e3ccb758d4331aa56221f0120a9550b7910927898909"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/script/define_props.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118347, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02052a353231a0bcb9073e4625dd3ed98bd43ed44283b7056517b474d06b9691", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_sfc/src/script/define_expose.rs", "duplicate_line": 7, "correlation_key": "fp|02052a353231a0bcb9073e4625dd3ed98bd43ed44283b7056517b474d06b9691"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/script/define_options.rs"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118346, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5d807a8bd89205d9e8f8a02e5813efd3c647cefc9a65a8366d67bf19ebb4898", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_core/src/transforms/transform_element.rs", "duplicate_line": 65, "correlation_key": "fp|c5d807a8bd89205d9e8f8a02e5813efd3c647cefc9a65a8366d67bf19ebb4898"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/compile_template/vapor.rs"}, "region": {"startLine": 223}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118345, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1da58b581466357241a85d8213311064171cf4d1d69179e4142290dfb1612d90", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_sfc/src/compile_script/artifacts.rs", "duplicate_line": 120, "correlation_key": "fp|1da58b581466357241a85d8213311064171cf4d1d69179e4142290dfb1612d90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/compile_script/statement_sections.rs"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118344, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f3f6665a0e9e46955403306f1258418dbd4062d3163a8f87ec83ff799bfbd7fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_dom/src/options.rs", "duplicate_line": 113, "correlation_key": "fp|f3f6665a0e9e46955403306f1258418dbd4062d3163a8f87ec83ff799bfbd7fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_dom/src/transforms/v_on.rs"}, "region": {"startLine": 127}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118343, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8e129e3d9a6f6e016ce55eeace199beee558f9cf9dc4643aa9f36aeaac2d9b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_atelier_core/src/transforms/transform_expression.rs", "duplicate_line": 243, "correlation_key": "fp|f8e129e3d9a6f6e016ce55eeace199beee558f9cf9dc4643aa9f36aeaac2d9b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_core/src/transforms/transform_expression/inline_handler.rs"}, "region": {"startLine": 165}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118342, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a45bc353c822aa62cd310b930eb57b47ca588b269e454c474bba3985d2a59a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/vize_patina/src/rules/a11y/img_alt.rs", "duplicate_line": 14, "correlation_key": "fp|1a45bc353c822aa62cd310b930eb57b47ca588b269e454c474bba3985d2a59a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_patina/src/rules/vue/a11y_img_alt.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 118340, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d0dbdb22c89ee8922b04abf7d1a429710be515784c788ed16b241bd11aacf5d8", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "alt", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|d0dbdb22c89ee8922b04abf7d1a429710be515784c788ed16b241bd11aacf5d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_patina/src/rules/vue/a11y_img_alt.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 118339, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7609dfadde7b86c4822097c557f7db319d6e7298554f5d97eaa442f01cdad77f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "alt", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|7609dfadde7b86c4822097c557f7db319d6e7298554f5d97eaa442f01cdad77f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_patina/src/rules/a11y/img_alt.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 118333, "scanner": "repobility-threat-engine", "fingerprint": "c7e5e1211eb9460237bc24fac144cf85295481b6c586744b979e139881ef50f0", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"\\0musea-art:\" + artPath + \"?musea-virtual\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c7e5e1211eb9460237bc24fac144cf85295481b6c586744b979e139881ef50f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/plugin/virtual.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 118332, "scanner": "repobility-threat-engine", "fingerprint": "c07d31060eba60020c19c52aa289d231772c42aed37af79103d349d50caf999b", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/></svg>' + variantCount + ' variant'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c07d31060eba60020c19c52aa289d231772c42aed37af79103d349d50caf999b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/gallery/template.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 118308, "scanner": "repobility-threat-engine", "fingerprint": "b59af4dcb7751d5447dc7e36103cbb73cb78e6a245e744bdc19f6767b5e92265", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|151|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/gallery/template.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 118307, "scanner": "repobility-threat-engine", "fingerprint": "ab8fc9e2140848c8f2ede321dfda34e52b208f527eca0d3ed1c632b2866759aa", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = {", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|154|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_vapor/src/generate/operations/dom.rs"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 118335, "scanner": "repobility-threat-engine", "fingerprint": "dde7612a3ee008c45cff528bbc1d17368f6e78bdd1061ebdc10d6b0ef2c85535", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dde7612a3ee008c45cff528bbc1d17368f6e78bdd1061ebdc10d6b0ef2c85535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/src/shared/presets/crossfile-provide-inject.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 118334, "scanner": "repobility-threat-engine", "fingerprint": "d7695f83b012a0e62dffab1fb283ac980092d80349726f71bdcbd79fb10a4023", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7695f83b012a0e62dffab1fb283ac980092d80349726f71bdcbd79fb10a4023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/tokens/generator.ts"}, "region": {"startLine": 207}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 118331, "scanner": "repobility-threat-engine", "fingerprint": "68425c153b8795057c54acb19a81969ff681665b9966a1292cea1a200e42b266", "category": "security", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\"noopener\"|\\'noopener\\'' detected on same line", "evidence": {"match": "window.open(previewUrl, '_blank', 'noopener')", "reason": "Safe pattern '\"noopener\"|\\'noopener\\'' detected on same line", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|security|token|239|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/gallery/template.ts"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 118329, "scanner": "repobility-threat-engine", "fingerprint": "185ef3103bba60e3317fbe1c9a931cb631b54d4818981aa88425165167a53d84", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|185ef3103bba60e3317fbe1c9a931cb631b54d4818981aa88425165167a53d84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/src/shared/presets/crossfile-reference-escape.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 118328, "scanner": "repobility-threat-engine", "fingerprint": "f3b7068c7663078369dcffdd20bda995de266a359581c70553db33a919972c44", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3b7068c7663078369dcffdd20bda995de266a359581c70553db33a919972c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/src/shared/presets/crossfile-reactivity.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 118327, "scanner": "repobility-threat-engine", "fingerprint": "f9c91d3590573ee8a25ae5edec6cbbcae341a221fbb6fca1f6bf37d5018d1452", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9c91d3590573ee8a25ae5edec6cbbcae341a221fbb6fca1f6bf37d5018d1452"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/a11y/index.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 118326, "scanner": "repobility-threat-engine", "fingerprint": "dc3ca77c229013613996ab84d203699c8174420959afc1c970065b4fce91474d", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(`[musea] Generated token documentation: ${outputPath}`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|20|console.log musea generated token documentation: outputpath"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/tokens/generator.ts"}, "region": {"startLine": 207}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 118325, "scanner": "repobility-threat-engine", "fingerprint": "6b73762d7b5674fc99a38995033b5dba38443c9f5e474e2cc03dc83e8632dc0d", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"[musea] Failed to scan token usage:\", e)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|console.error musea failed to scan token usage: e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/src/api-tokens.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 118321, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 118317, "scanner": "repobility-threat-engine", "fingerprint": "c0bce67eff9f1bf08fc00612a1cff7f77a6d47fbc604869f09cee199e61d3dd8", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|62|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_patina/src/rules/ssr/no_hydration_mismatch.rs"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 118316, "scanner": "repobility-threat-engine", "fingerprint": "85efe0e824a28212001637e1595abd082b6fbd7935c8705ea3bf45f2eed24303", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|61|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_patina/src/rules/script/prefer_use_id.rs"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED019", "level": "none", "message": {"text": "[MINED019] Ssti Jinja From String (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 118314, "scanner": "repobility-threat-engine", "fingerprint": "b665c83efa53226db26fe6804d0ce9b6b2bb54eb045aa65c50a94865248aeb53", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b665c83efa53226db26fe6804d0ce9b6b2bb54eb045aa65c50a94865248aeb53", "aggregated_count": 14}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 118310, "scanner": "repobility-threat-engine", "fingerprint": "2c543bdd5bd19f99249b645d7d25c211ab5cc4a15cd19a27c520e36ff5bffb0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c543bdd5bd19f99249b645d7d25c211ab5cc4a15cd19a27c520e36ff5bffb0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_musea/src/lib.rs"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 118309, "scanner": "repobility-threat-engine", "fingerprint": "4e2162a5c70b55a9c49dad7662161221e02911597fcba19fd240cebdf3fba7a0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4e2162a5c70b55a9c49dad7662161221e02911597fcba19fd240cebdf3fba7a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_carton/src/directive.rs"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 118306, "scanner": "repobility-threat-engine", "fingerprint": "4e412bf576271f452d8d53a380314293ad150630a073e041a292c54ddebe44eb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4e412bf576271f452d8d53a380314293ad150630a073e041a292c54ddebe44eb", "aggregated_count": 2}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 118305, "scanner": "repobility-threat-engine", "fingerprint": "6d3f1571c77e87f8de9eb1b8823e7f91937c766662d1d5fcd997437e02803576", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d3f1571c77e87f8de9eb1b8823e7f91937c766662d1d5fcd997437e02803576"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/css/transform.rs"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 118304, "scanner": "repobility-threat-engine", "fingerprint": "04e1b458b713c5a1fa4c5b73bf1c58a3aae0ec7413c96f08e610c8dfe4bc7329", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04e1b458b713c5a1fa4c5b73bf1c58a3aae0ec7413c96f08e610c8dfe4bc7329"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/compile_script/inline/compiler/props.rs"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 118303, "scanner": "repobility-threat-engine", "fingerprint": "ddeb857a3db7d0fd38418483b14124d9f8b2afdac314366cdf7993f5d8e46bc4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ddeb857a3db7d0fd38418483b14124d9f8b2afdac314366cdf7993f5d8e46bc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/compile_script/inline/compiler/body.rs"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 118302, "scanner": "repobility-threat-engine", "fingerprint": "fef308e79c0624341024b282f51bb97c5e66f9de7bf338480e6b4053e535b2c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fef308e79c0624341024b282f51bb97c5e66f9de7bf338480e6b4053e535b2c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/bundler/assets.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 118301, "scanner": "repobility-threat-engine", "fingerprint": "2db5dd2825afd5fbfd72bb0705da4369a34a4bf391433e15e1b57a016467dfda", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2db5dd2825afd5fbfd72bb0705da4369a34a4bf391433e15e1b57a016467dfda", "aggregated_count": 12}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 118300, "scanner": "repobility-threat-engine", "fingerprint": "08798b84807176891ab7d222aceea91d664c216ac751456122693673d23fd47b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08798b84807176891ab7d222aceea91d664c216ac751456122693673d23fd47b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/src/compile_script/artifacts.rs"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 118299, "scanner": "repobility-threat-engine", "fingerprint": "15cc8527dad017165ade1596250c75272af93fa66d794648a49490387b63e0e0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15cc8527dad017165ade1596250c75272af93fa66d794648a49490387b63e0e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_sfc/benches/sfc_compile.rs"}, "region": {"startLine": 334}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 118298, "scanner": "repobility-threat-engine", "fingerprint": "e8d35e1f79a4de7aaa6eec7266ef1da07881b1d268c2170dc509ca027c712ede", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8d35e1f79a4de7aaa6eec7266ef1da07881b1d268c2170dc509ca027c712ede"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_core/src/transforms/v_slot.rs"}, "region": {"startLine": 304}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 118297, "scanner": "repobility-threat-engine", "fingerprint": "f2bf68dbf6d5f27d881fbdf44465eef3a6c230779270894ac9898491470c27b0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f2bf68dbf6d5f27d881fbdf44465eef3a6c230779270894ac9898491470c27b0", "aggregated_count": 6}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 118296, "scanner": "repobility-threat-engine", "fingerprint": "1db2d3ef661ab0719453c63de25476398d28dd32802d94bc9f8268bfafaba863", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1db2d3ef661ab0719453c63de25476398d28dd32802d94bc9f8268bfafaba863"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_croquis_cf/src/analyzer/tests_provide_inject/patterns.rs"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 118295, "scanner": "repobility-threat-engine", "fingerprint": "477207c5cf0af221ca875c5232ed4a239f1f77874d2eba9d89998367e679192a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|477207c5cf0af221ca875c5232ed4a239f1f77874d2eba9d89998367e679192a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_core/src/transforms/v_slot.rs"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 118294, "scanner": "repobility-threat-engine", "fingerprint": "106529739f0de2ad72958f47dfd5f194bb47bea437f4b48c024b8f1eee12708e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|106529739f0de2ad72958f47dfd5f194bb47bea437f4b48c024b8f1eee12708e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_atelier_core/src/transforms/transform_expression/inline_handler.rs"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 50 more): Same pattern found in 50 additional files. Review if needed."}, "properties": {"repobilityId": 118293, "scanner": "repobility-threat-engine", "fingerprint": "54a09d50714ec0408e1e01fd57c0b18e4dda1aeaf3e3ddb0d49ff7b1a828d9f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 50 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|54a09d50714ec0408e1e01fd57c0b18e4dda1aeaf3e3ddb0d49ff7b1a828d9f2", "aggregated_count": 50}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 118289, "scanner": "repobility-threat-engine", "fingerprint": "504437fe9c949b0e5a483ece2d4f14f900ee2395e173773acf779d4d6f2616df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|504437fe9c949b0e5a483ece2d4f14f900ee2395e173773acf779d4d6f2616df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/src/features/canon/vueTypeDeclarations.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 118288, "scanner": "repobility-threat-engine", "fingerprint": "91ffe707835bad9f8200a57f6613b0038de1fc3e59533a1b13e14927e17992ef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91ffe707835bad9f8200a57f6613b0038de1fc3e59533a1b13e14927e17992ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/vite.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 118287, "scanner": "repobility-threat-engine", "fingerprint": "7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 118283, "scanner": "repobility-threat-engine", "fingerprint": "42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 118279, "scanner": "repobility-threat-engine", "fingerprint": "cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "aggregated_count": 9}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 118278, "scanner": "repobility-threat-engine", "fingerprint": "6aa45982198f05a08c1041b89e7467e6d7c7bb45646c6d125bf209195fbc6124", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6aa45982198f05a08c1041b89e7467e6d7c7bb45646c6d125bf209195fbc6124"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/fresco/src/components/Tree.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 118277, "scanner": "repobility-threat-engine", "fingerprint": "d6f1326b090f59fe64397af2ec0eab0656d8fbb6bbc1e36e9ea6f035413d5426", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6f1326b090f59fe64397af2ec0eab0656d8fbb6bbc1e36e9ea6f035413d5426"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/run.ts"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 118276, "scanner": "repobility-threat-engine", "fingerprint": "1f1a20372d833f4b22ae373694b999c3bea5459cdfd80ba7013d288227cab77d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f1a20372d833f4b22ae373694b999c3bea5459cdfd80ba7013d288227cab77d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/lint.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 118275, "scanner": "repobility-threat-engine", "fingerprint": "cea9866355a038634f49a33fe3675dd05bdfab113315ba4a5fc6f621944b5f4e", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cea9866355a038634f49a33fe3675dd05bdfab113315ba4a5fc6f621944b5f4e"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 118271, "scanner": "repobility-threat-engine", "fingerprint": "54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 118267, "scanner": "repobility-threat-engine", "fingerprint": "340cf559e06ea61cbe96799fd51e5806ca4df347745b855166a663bead061461", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|340cf559e06ea61cbe96799fd51e5806ca4df347745b855166a663bead061461"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "properties": {"repobilityId": 118263, "scanner": "repobility-threat-engine", "fingerprint": "91cdf300fbc56e0e2516177d856cc3ed8a55dd77b981c7e972010a0ac61b7e48", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|91cdf300fbc56e0e2516177d856cc3ed8a55dd77b981c7e972010a0ac61b7e48", "aggregated_count": 47}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 118262, "scanner": "repobility-threat-engine", "fingerprint": "f69f37f274b87ffc55df6874532ee913d6dafeb4a7f7e5785e764d803001c526", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f69f37f274b87ffc55df6874532ee913d6dafeb4a7f7e5785e764d803001c526"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/comment-pr.mjs"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 118261, "scanner": "repobility-threat-engine", "fingerprint": "1936e7cf658b32a05f4abd9d941df24b6eaa003880abf536adff8c5534f5fdc8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1936e7cf658b32a05f4abd9d941df24b6eaa003880abf536adff8c5534f5fdc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/check.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 118260, "scanner": "repobility-threat-engine", "fingerprint": "655935d94471b2e99144b1294577d624362f7545e699e2ade7ad6b1492e836f2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|655935d94471b2e99144b1294577d624362f7545e699e2ade7ad6b1492e836f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/setup-moonbit/install-moonbit.mjs"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 118338, "scanner": "repobility-threat-engine", "fingerprint": "19e62b2bebe36aa13b135a68f4dab7c35121af3a8623b5b82512f80780fbbf39", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|19e62b2bebe36aa13b135a68f4dab7c35121af3a8623b5b82512f80780fbbf39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/vite-plus/check-warning-budget.mjs"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 118337, "scanner": "repobility-threat-engine", "fingerprint": "23fe412d7c5740af218565baf40031cea3a4dc5b9725cac6e43e606606f77f22", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23fe412d7c5740af218565baf40031cea3a4dc5b9725cac6e43e606606f77f22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/fuzz/seed_corpus.mjs"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 118336, "scanner": "repobility-threat-engine", "fingerprint": "e1dfc8b65488fa0a13502725a596ae3dfc802ab5d503236287675acf6a4b4fe6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e1dfc8b65488fa0a13502725a596ae3dfc802ab5d503236287675acf6a4b4fe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/src/shared/presets/crossfile-reference-escape.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 118324, "scanner": "repobility-threat-engine", "fingerprint": "36784411c013a9e32e6628801a6da39a9542c8f598efa714315d72a4924fa3b7", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.error(`[musea-mcp] Tokens path: ${tokensPath}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|3|console.error musea-mcp tokens path: tokenspath"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/musea-mcp-server/src/cli.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 118320, "scanner": "repobility-threat-engine", "fingerprint": "c76c6337e1306667556f1340a1a23ee5e2dfc0249c9bdc4b753e54f94fb4da8e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "newMap.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c76c6337e1306667556f1340a1a23ee5e2dfc0249c9bdc4b753e54f94fb4da8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vite-plugin-musea/gallery/composables/useA11y.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 118319, "scanner": "repobility-threat-engine", "fingerprint": "301e8cac49527f5189a0ce357de39d15d61e9985d668c35a2dbed6cf018410d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cache.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|301e8cac49527f5189a0ce357de39d15d61e9985d668c35a2dbed6cf018410d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/unplugin-vize/src/unplugin.ts"}, "region": {"startLine": 242}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 118318, "scanner": "repobility-threat-engine", "fingerprint": "ab7557d900a62c87d0b4eab7d8ea7e66ab7eaf29b9c26b7aeff22d80531e44d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "animationSubscribers.delete(callback);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab7557d900a62c87d0b4eab7d8ea7e66ab7eaf29b9c26b7aeff22d80531e44d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/fresco/src/composables/useAnimation.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 118315, "scanner": "repobility-threat-engine", "fingerprint": "cd5743aec65302d88d202204f6425edee2ae87862198f6f42f4504fc110bdd41", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd5743aec65302d88d202204f6425edee2ae87862198f6f42f4504fc110bdd41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_musea/src/lib.rs"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 118292, "scanner": "repobility-threat-engine", "fingerprint": "30da5b71a301cf60a3f47d38352fec4110067caaa73d1fe5a57788a605f278d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30da5b71a301cf60a3f47d38352fec4110067caaa73d1fe5a57788a605f278d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize/src/commands/clean.rs"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 118291, "scanner": "repobility-threat-engine", "fingerprint": "4cdcfe316fa96a6d50eca4c379584a7d625982575d0dea7311e9eee4d3fdd440", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4cdcfe316fa96a6d50eca4c379584a7d625982575d0dea7311e9eee4d3fdd440"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize/src/commands/check/imports.rs"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 118290, "scanner": "repobility-threat-engine", "fingerprint": "329611eecee6c4460881ccb4827d56dbc30e1c63de335f99e4708fb550e44f1e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|329611eecee6c4460881ccb4827d56dbc30e1c63de335f99e4708fb550e44f1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize/src/cli.rs"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 118274, "scanner": "repobility-threat-engine", "fingerprint": "d48ee46915e59a3d30274a7ed83b9df887e0b9dd0394a9caa7a0edfd6616dc5d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `${indent}${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d48ee46915e59a3d30274a7ed83b9df887e0b9dd0394a9caa7a0edfd6616dc5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/oxlint-plugin-vize/src/format.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 118273, "scanner": "repobility-threat-engine", "fingerprint": "363c32cd2bc670a649ac73f616005073e461653878287f9e562fa1a71ff53761", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((e) => `h(${e.name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|363c32cd2bc670a649ac73f616005073e461653878287f9e562fa1a71ff53761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/vite.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 118272, "scanner": "repobility-threat-engine", "fingerprint": "718441ddc26016690253e3406bf92099a19149be1268a848aae0204adff42322", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n      (regression) =>\n        `- ${regression.label}: ${formatRate(regression.rate)} (${formatP", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|718441ddc26016690253e3406bf92099a19149be1268a848aae0204adff42322"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/enforce-pr-budget.mjs"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 118270, "scanner": "repobility-threat-engine", "fingerprint": "f74532ea9c2ce7f3cb1bf94ea80cbe0083087c73105613f85146e2ef901f2a8b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f74532ea9c2ce7f3cb1bf94ea80cbe0083087c73105613f85146e2ef901f2a8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/enforce-pr-budget.mjs"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 118269, "scanner": "repobility-threat-engine", "fingerprint": "1629b2b9895465fb17ac4d627bed2524a06bc2694e81ac3a240d79a58955c08d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1629b2b9895465fb17ac4d627bed2524a06bc2694e81ac3a240d79a58955c08d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/compare-pr.mjs"}, "region": {"startLine": 360}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 118268, "scanner": "repobility-threat-engine", "fingerprint": "b6283da3ed973b033d54529098743aecbee38cd1b5a336f89ea9624a9dfce05d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6283da3ed973b033d54529098743aecbee38cd1b5a336f89ea9624a9dfce05d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/comment-pr.mjs"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 118266, "scanner": "repobility-threat-engine", "fingerprint": "10628e5e1b7b35b3221e3a9b3f974b7cec047aaebd9433e77b549165d513ce6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(block", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10628e5e1b7b35b3221e3a9b3f974b7cec047aaebd9433e77b549165d513ce6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/test-inventory.mjs"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 118265, "scanner": "repobility-threat-engine", "fingerprint": "0a5913c48ed1de100eaaa524d91b44a5b213148c5f82c7badfffce1909a9bef2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a5913c48ed1de100eaaa524d91b44a5b213148c5f82c7badfffce1909a9bef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/lint.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 118264, "scanner": "repobility-threat-engine", "fingerprint": "2c8c2f4fcf04bc58af35003cef0db31c280f6fc6111aded1b93d17b74fb9d3dc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c8c2f4fcf04bc58af35003cef0db31c280f6fc6111aded1b93d17b74fb9d3dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/check.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 118313, "scanner": "repobility-threat-engine", "fingerprint": "b0a8cbd8c4ce4d1f8fd34f33776b6d5dd278bb1236a8f91fc3ba195d5001f8e7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0a8cbd8c4ce4d1f8fd34f33776b6d5dd278bb1236a8f91fc3ba195d5001f8e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_patina/src/rules/opinionated/vue/multi_word_component_names.rs"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 118312, "scanner": "repobility-threat-engine", "fingerprint": "5f70319622bb5ef69906ea723636749cb2ab4e8e785d3bc3c894f1007c4cf5d1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f70319622bb5ef69906ea723636749cb2ab4e8e785d3bc3c894f1007c4cf5d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_patina/src/rules/a11y/no_refer_to_non_existent_id.rs"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 118311, "scanner": "repobility-threat-engine", "fingerprint": "d7a2c6fef7b4fae8d31ff1ad9dd3b31b4bd4cce715a886e4a4b30fc86fc1cf84", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7a2c6fef7b4fae8d31ff1ad9dd3b31b4bd4cce715a886e4a4b30fc86fc1cf84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/vize_croquis_cf/src/analyzer/tests_element_id.rs"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 118282, "scanner": "repobility-threat-engine", "fingerprint": "e332c67a80f698d2af3244a9123ace72e3c5d8cf2a1c9b694bb18746dbd99c41", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(specifier", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e332c67a80f698d2af3244a9123ace72e3c5d8cf2a1c9b694bb18746dbd99c41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/vize-native/native-binding.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 118281, "scanner": "repobility-threat-engine", "fingerprint": "8f9e7aeaf672b4f6d787a283fb94e7259c9a8ed8b0a3fc96645408a319d17722", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(packageName", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f9e7aeaf672b4f6d787a283fb94e7259c9a8ed8b0a3fc96645408a319d17722"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/oxlint-plugin-vize/src/native.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 118280, "scanner": "repobility-threat-engine", "fingerprint": "02ed00ebf6deb35c9e30ef4e4e8d3e3ef911c167ab12d01d183a2f07acd40c7a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(nativePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|02ed00ebf6deb35c9e30ef4e4e8d3e3ef911c167ab12d01d183a2f07acd40c7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/run.ts"}, "region": {"startLine": 58}}}]}]}]}