{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "A service worker without a manifest often means the PWA install surface is incomplete or inconsistent across devices."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /ac"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /activities."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /currentUser."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /currentUser."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/271"}, "properties": {"repository": "ant-design/ant-design-pro", "repoUrl": "https://github.com/ant-design/ant-design-pro", "branch": "master"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 8415, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 8414, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 8413, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8408, "scanner": "repobility-journey-contract", "fingerprint": "3de1a6d3d3c79b8ba29245a4f8757b2229f7053859209986a59bab3bce5ba1e0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/profile/basic", "correlation_key": "fp|3de1a6d3d3c79b8ba29245a4f8757b2229f7053859209986a59bab3bce5ba1e0", "backend_endpoint_count": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/profile/basic/service.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8407, "scanner": "repobility-journey-contract", "fingerprint": "e173d08e2c2831e6862e462e956611d3ed503326f8f82b5159574bae31807a25", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/profile/advanced", "correlation_key": "fp|e173d08e2c2831e6862e462e956611d3ed503326f8f82b5159574bae31807a25", "backend_endpoint_count": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/profile/advanced/service.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8406, "scanner": "repobility-journey-contract", "fingerprint": "cac7d4e26c4adbc0951d12e3ce0a4c99795981a24458b6148cb6e0ae11c1b29c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/basicform", "correlation_key": "fp|cac7d4e26c4adbc0951d12e3ce0a4c99795981a24458b6148cb6e0ae11c1b29c", "backend_endpoint_count": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/form/basic-form/service.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8405, "scanner": "repobility-journey-contract", "fingerprint": "77d63aa07f4b6a3b8172147ae999f17276a07837256c944bf3597c60055dbf72", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/advancedform", "correlation_key": "fp|77d63aa07f4b6a3b8172147ae999f17276a07837256c944bf3597c60055dbf72", "backend_endpoint_count": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/form/advanced-form/service.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8404, "scanner": "repobility-journey-contract", "fingerprint": "93528cfe824b72ac506fc8028fd470cecd43a2db988ab1c66194baf6ec20faa4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/geographic/city/{param}", "correlation_key": "fp|93528cfe824b72ac506fc8028fd470cecd43a2db988ab1c66194baf6ec20faa4", "backend_endpoint_count": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/account/settings/service.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8403, "scanner": "repobility-journey-contract", "fingerprint": "fde3b522bdb8579ea6ac42d7a63e5a031c8923ceb7c0987eedbd1b5c5605b02d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/geographic/province", "correlation_key": "fp|fde3b522bdb8579ea6ac42d7a63e5a031c8923ceb7c0987eedbd1b5c5605b02d", "backend_endpoint_count": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/account/settings/service.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8402, "scanner": "repobility-journey-contract", "fingerprint": "8a5846bd4ea97599decd2bf748e4e051db2391ceb4c8f9bd8082519081d6d323", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/profile", "correlation_key": "fp|8a5846bd4ea97599decd2bf748e4e051db2391ceb4c8f9bd8082519081d6d323", "backend_endpoint_count": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/index.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8401, "scanner": "repobility-journey-contract", "fingerprint": "ffb723615c7f29c682642e335000bee4c96eccaa5ff125ea30cf4ad3446cf70e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/geographic", "correlation_key": "fp|ffb723615c7f29c682642e335000bee4c96eccaa5ff125ea30cf4ad3446cf70e", "backend_endpoint_count": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/index.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8400, "scanner": "repobility-journey-contract", "fingerprint": "530ff8b17bbb4a73578c7a2fc0183efd2906b0bcf10b7e5923d85e72e9f98721", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/monitor", "correlation_key": "fp|530ff8b17bbb4a73578c7a2fc0183efd2906b0bcf10b7e5923d85e72e9f98721", "backend_endpoint_count": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/index.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /activities."}, "properties": {"repobilityId": 8398, "scanner": "repobility-access-control", "fingerprint": "9df0623874b733d8bd9510d2509ec8c53316426c038053e6438c50711d5c6563", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/activities", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|43|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/routes/dashboard.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /users."}, "properties": {"repobilityId": 8397, "scanner": "repobility-access-control", "fingerprint": "c59fd72e13e97750441f45b6d18e44089a8f42cb9902ed86237b3f69011d43a5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|45|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/routes/user.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /notices."}, "properties": {"repobilityId": 8396, "scanner": "repobility-access-control", "fingerprint": "3161771680c6b16f062e7d9a5f55fc04b769e283a822827a75b62e6cf9e648b4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/notices", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|6|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/routes/notices.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /currentUser."}, "properties": {"repobilityId": 8395, "scanner": "repobility-access-control", "fingerprint": "25a50b774b174fa9baa9b53898f2bbbf72473fe4cb76c1c525ec7258af8e9ad3", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/currentUser", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|37|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/routes/user.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /post_fake_list."}, "properties": {"repobilityId": 8394, "scanner": "repobility-access-control", "fingerprint": "c4fe0247bc7529b78d2a63e325a3a0349515f0784f809b39e6ed265356280a33", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/post_fake_list", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|32|cwe-285", "duplicate_count": 1, "identity_targets": ["unknown"], "duplicate_rule_ids": ["AUC004", "AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["18518f416d3f308d002bac8c9c4616298f0bf93984a1b95eb4d80473c4b962e5", "c4fe0247bc7529b78d2a63e325a3a0349515f0784f809b39e6ed265356280a33"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/routes/list.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /login/outLogin."}, "properties": {"repobilityId": 8393, "scanner": "repobility-access-control", "fingerprint": "af8c169855c1de7f9c6fafed8a2a16527174e1236c23ed33a8a16afe9ba3f8d5", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/login/outLogin", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|22|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/routes/user.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /accountSettingCurrentUser."}, "properties": {"repobilityId": 8392, "scanner": "repobility-access-control", "fingerprint": "9a0b735a99562ca915a56d74780c25d26ff8bfa2f63f2eabbfa60cd1bb0cc91a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/accountSettingCurrentUser", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|7|cwe-285", "duplicate_count": 1, "identity_targets": ["unknown"], "duplicate_rule_ids": ["AUC004", "AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["9a0b735a99562ca915a56d74780c25d26ff8bfa2f63f2eabbfa60cd1bb0cc91a", "e6d550a4eed1efaa9dd859170a2b2c8fcb7d5fff0490fedefef8316d45f442a3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/routes/settings.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/auth_routes."}, "properties": {"repobilityId": 8391, "scanner": "repobility-access-control", "fingerprint": "aaa58b7e5d9ad4e32a8b8b7b46cf13fc1fccd05ad873cb353533ba41a078c252", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/auth_routes", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|29|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/index.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 8390, "scanner": "repobility-access-control", "fingerprint": "ae0e7b4007a228cab07ec453f8cb9c117341ab68ff3dea44fb2d51291624b5e0", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 33, "correlation_key": "fp|ae0e7b4007a228cab07ec453f8cb9c117341ab68ff3dea44fb2d51291624b5e0", "auth_visible_percent": 18.2}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 8389, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8381, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e913847d27d308d3aeee59b941bb1361a0797204ec91c9896fc882b133c04fcc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/list/search/applications/index.tsx", "duplicate_line": 110, "correlation_key": "fp|e913847d27d308d3aeee59b941bb1361a0797204ec91c9896fc882b133c04fcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/list/search/projects/index.tsx"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8380, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22079d97a6b1030b6beb0315d334540b44cce9f532edb840e4e1a18a0842c135", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/list/search/articles/index.tsx", "duplicate_line": 144, "correlation_key": "fp|22079d97a6b1030b6beb0315d334540b44cce9f532edb840e4e1a18a0842c135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/list/search/projects/index.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8379, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5879f98145ce7bd1a8667fffc4cc05caaab27f81fc80b1f2e821205321da51fb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/account/center/components/Projects/index.tsx", "duplicate_line": 47, "correlation_key": "fp|5879f98145ce7bd1a8667fffc4cc05caaab27f81fc80b1f2e821205321da51fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/list/search/projects/index.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8378, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96ba2f2d47d24fa0df16ac00c1db31753b716131d56377900604e930cc448c43", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/account/center/components/Articles/index.tsx", "duplicate_line": 45, "correlation_key": "fp|96ba2f2d47d24fa0df16ac00c1db31753b716131d56377900604e930cc448c43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/list/search/articles/index.tsx"}, "region": {"startLine": 246}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8377, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f876392015b37df20725ac28b971e0cdc0081c1774b0d14a21f3641bb1ed8124", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/list/search/applications/index.tsx", "duplicate_line": 110, "correlation_key": "fp|f876392015b37df20725ac28b971e0cdc0081c1774b0d14a21f3641bb1ed8124"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/list/search/articles/index.tsx"}, "region": {"startLine": 145}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8376, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac12bd244af0bb537848dd91783a686ad7d084a716ca826ac1651802a26e0830", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/account/center/components/Applications/index.style.ts", "duplicate_line": 6, "correlation_key": "fp|ac12bd244af0bb537848dd91783a686ad7d084a716ca826ac1651802a26e0830"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/list/search/applications/style.style.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8375, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c75b342d69f2630eb63a7ba5cbddb718bdf99f64b981524b611b7f24db623fc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/account/center/components/Applications/index.tsx", "duplicate_line": 14, "correlation_key": "fp|4c75b342d69f2630eb63a7ba5cbddb718bdf99f64b981524b611b7f24db623fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/list/search/applications/index.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8374, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b9cd7fe5a4ad1d83f241ba63f91af2d01cb288b01f7a8f3a449febedf890fa1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/form/advanced-form/index.tsx", "duplicate_line": 264, "correlation_key": "fp|5b9cd7fe5a4ad1d83f241ba63f91af2d01cb288b01f7a8f3a449febedf890fa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/list/basic-list/components/OperationModal.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8373, "scanner": "repobility-ai-code-hygiene", "fingerprint": "693126e72480fcba9750f20fb009d10de0180b9b7aecb49b10cf3b38a98b9014", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/dashboard/analysis/_mock.ts", "duplicate_line": 29, "correlation_key": "fp|693126e72480fcba9750f20fb009d10de0180b9b7aecb49b10cf3b38a98b9014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/dashboard/workplace/_mock.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8372, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a06288d91f44e3749b480f90ecad63cd783dd0ed568218e6ba245b05d0553fe", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/pages/account/settings/components/notification.tsx", "duplicate_line": 27, "correlation_key": "fp|9a06288d91f44e3749b480f90ecad63cd783dd0ed568218e6ba245b05d0553fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/account/settings/components/security.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8371, "scanner": "repobility-ai-code-hygiene", "fingerprint": "601d84c0a2cc6ac891cd305f061a09fbb16e7881bae619d2f8b024a201d497b7", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cloudflare-worker/src/data/common.ts", "duplicate_line": 1, "correlation_key": "fp|601d84c0a2cc6ac891cd305f061a09fbb16e7881bae619d2f8b024a201d497b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mock/utils.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8370, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7988ef4373b6b4b3152042236bc8c17af7e7f1d93f7b7066838c3d3d749bf5a5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cloudflare-worker/src/data/notices.ts", "duplicate_line": 28, "correlation_key": "fp|7988ef4373b6b4b3152042236bc8c17af7e7f1d93f7b7066838c3d3d749bf5a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mock/notices.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 8412, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 8411, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 8410, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 8409, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 8399, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 8387, "scanner": "repobility-threat-engine", "fingerprint": "d567fecbb6dedf87857fbdadfbb8ddfa4d84ef16f3617dfe94cb97b30ed0bcb4", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML ==", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|public/scripts/loading.js|7|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/scripts/loading.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 8388, "scanner": "repobility-threat-engine", "fingerprint": "d6c2e9a6f4ac0bd504aec8c54dabdbd08459ab58264a5767d4a36f602db3f610", "category": "injection", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "evidence": {"match": ".innerHTML = y", "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|injection|token|10|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/dashboard/analysis/utils/Yuan.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8386, "scanner": "repobility-threat-engine", "fingerprint": "1ec81208718cf66a694fe61e359b13b99a12c93f5b5a670167fe2d10e5b12490", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log('- config/config.ts \u4e0d\u5b58\u5728\uff0c\u8df3\u8fc7')", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|scripts/i18n-remove.js|18|console.log - config/config.ts"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/i18n-remove.js"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 8385, "scanner": "repobility-threat-engine", "fingerprint": "aeb1d1e29cee8f1a8677063f214e9f1b22515b13b4a290d65492c88b95140c1a", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|aeb1d1e29cee8f1a8677063f214e9f1b22515b13b4a290d65492c88b95140c1a"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8384, "scanner": "repobility-threat-engine", "fingerprint": "41a584adb98efa1ac2fc478a966daa6f82916df8b6cef64344005cf5e90805e1", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|18|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloudflare-worker/src/data/dashboard.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8383, "scanner": "repobility-threat-engine", "fingerprint": "cfdb151473ae662d5dce3e54509b7d6bbdbd9822d27161aaf3d5930597ebb001", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|mock/utils.ts|118|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mock/utils.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8382, "scanner": "repobility-threat-engine", "fingerprint": "9faa5febdf272885ffdd0501df68b3ea40c573617f1bfb74db0e64568ef89a96", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|mock/listtablelist.ts|22|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mock/listTableList.ts"}, "region": {"startLine": 22}}}]}]}]}