{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 40.0% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 40.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 40.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `supertest` is 1 major version(s) behind (^6.3.0 -> 7.2.2)", "shortDescription": {"text": "npm package `supertest` is 1 major version(s) behind (^6.3.0 -> 7.2.2)"}, "fullDescription": {"text": "`supertest` is pinned/resolved at ^6.3.0 but the latest stable release on the npm registry is 7.2.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /user/:uid/photos/:file."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /user/:uid/photos/:file."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express DELETE /user/:id has no auth", "shortDescription": {"text": "Express DELETE /user/:id has no auth"}, "fullDescription": {"text": "Express route DELETE /user/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/840"}, "properties": {"repository": "expressjs/express", "repoUrl": "https://github.com/expressjs/express", "branch": "master"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75415, "scanner": "repobility-journey-contract", "fingerprint": "127ce3f0c6a4daba686976e71fd6ad709669ed645cace37a16d2c72114f9adab", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/something", "correlation_key": "fp|127ce3f0c6a4daba686976e71fd6ad709669ed645cace37a16d2c72114f9adab", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 100}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75414, "scanner": "repobility-journey-contract", "fingerprint": "b65feb5272aa08f785dcf8f42ab4bc9f8fbaaf5a2456ef88a23c18b6625f921f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/user/bob/repos", "correlation_key": "fp|b65feb5272aa08f785dcf8f42ab4bc9f8fbaaf5a2456ef88a23c18b6625f921f", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 91}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75413, "scanner": "repobility-journey-contract", "fingerprint": "421447368facb163420246aad6582b37a95d30ea829878c0e2f7a74ae2282c8d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/user/loki/repos", "correlation_key": "fp|421447368facb163420246aad6582b37a95d30ea829878c0e2f7a74ae2282c8d", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 82}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75412, "scanner": "repobility-journey-contract", "fingerprint": "e7e801d5b0fe51e34398d6104be5fd707e0e34bf55f16ae79c1f1a573344c1ec", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/user/loki/repos", "correlation_key": "fp|e7e801d5b0fe51e34398d6104be5fd707e0e34bf55f16ae79c1f1a573344c1ec", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 74}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75411, "scanner": "repobility-journey-contract", "fingerprint": "0e8629390b82c1cc31a5ce4f6218f67280609498093201e9c5d45529f6fc33db", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/user/loki/repos", "correlation_key": "fp|0e8629390b82c1cc31a5ce4f6218f67280609498093201e9c5d45529f6fc33db", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75410, "scanner": "repobility-journey-contract", "fingerprint": "cb36037fc0db34953fff1d8b4265c87b617a6a1a24cf3adaee96ef94d71c810d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/repos", "correlation_key": "fp|cb36037fc0db34953fff1d8b4265c87b617a6a1a24cf3adaee96ef94d71c810d", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75409, "scanner": "repobility-journey-contract", "fingerprint": "ed129cd4be5c52cd076b1a3f0f82010b08ec7b1c45320128b5ff2d16a026fbac", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/repos", "correlation_key": "fp|ed129cd4be5c52cd076b1a3f0f82010b08ec7b1c45320128b5ff2d16a026fbac", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75408, "scanner": "repobility-journey-contract", "fingerprint": "224be95e8bb5f0efc4c5e10f9b186552014d4dcc09bcfaade5e7ccae2c46f3a9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/repos", "correlation_key": "fp|224be95e8bb5f0efc4c5e10f9b186552014d4dcc09bcfaade5e7ccae2c46f3a9", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75407, "scanner": "repobility-journey-contract", "fingerprint": "8edf1f588b91d241d6c515f4d2590080e444e28bf17a279739734cbd0c2ec86c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/users", "correlation_key": "fp|8edf1f588b91d241d6c515f4d2590080e444e28bf17a279739734cbd0c2ec86c", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75406, "scanner": "repobility-journey-contract", "fingerprint": "6b60ce143a0b93c700774b0e0df963191e1b6c48aa0e4dddab44e2453239580d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/users", "correlation_key": "fp|6b60ce143a0b93c700774b0e0df963191e1b6c48aa0e4dddab44e2453239580d", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75405, "scanner": "repobility-journey-contract", "fingerprint": "a8c3841fdf62a699d48c6ad73da03cbad89dbf41ed808318210ffcdf29405e18", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/users", "correlation_key": "fp|a8c3841fdf62a699d48c6ad73da03cbad89dbf41ed808318210ffcdf29405e18", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/web-service.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75404, "scanner": "repobility-journey-contract", "fingerprint": "1180eb8b851227406720caecd294f64466bf36b5344edd132d863933584099d8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v2/users", "correlation_key": "fp|1180eb8b851227406720caecd294f64466bf36b5344edd132d863933584099d8", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/multi-router.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75403, "scanner": "repobility-journey-contract", "fingerprint": "7a52e9be24373ebba71db839b803670caae0f8536580d22fed54a7369d0d052a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v2", "correlation_key": "fp|7a52e9be24373ebba71db839b803670caae0f8536580d22fed54a7369d0d052a", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/multi-router.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75402, "scanner": "repobility-journey-contract", "fingerprint": "7e37684e64a579cfdc6d599418ef8664c560149e66badd19d788860ed8b0eb35", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/users", "correlation_key": "fp|7e37684e64a579cfdc6d599418ef8664c560149e66badd19d788860ed8b0eb35", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/multi-router.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 75401, "scanner": "repobility-journey-contract", "fingerprint": "1bad1fe0af66b6e3917ed4f9aae5cf04bbfdd42bfc36e8545387b74936fb019b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1", "correlation_key": "fp|1bad1fe0af66b6e3917ed4f9aae5cf04bbfdd42bfc36e8545387b74936fb019b", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/acceptance/multi-router.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 40.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 75398, "scanner": "repobility-access-control", "fingerprint": "590150581400d15f2f68c5d5dc2b1a013fcc55de86fe55e7743c6640b3fbf93c", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 15, "correlation_key": "fp|590150581400d15f2f68c5d5dc2b1a013fcc55de86fe55e7743c6640b3fbf93c", "auth_visible_percent": 40.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 75397, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 75396, "scanner": "repobility-threat-engine", "fingerprint": "9fe5e449d2fd19638fb47e10b3e60b74272c7e666ddc3c4b1faf444139b816d0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Foo bar'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9fe5e449d2fd19638fb47e10b3e60b74272c7e666ddc3c4b1faf444139b816d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/route-separation/post.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `supertest` is 1 major version(s) behind (^6.3.0 -> 7.2.2)"}, "properties": {"repobilityId": 75389, "scanner": "repobility-dependency-currency", "fingerprint": "f013c665416afc23e2b7bb90355706bcd2347814f3fd1fcedf2b3f4e40ef41ee", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "supertest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.2.2", "correlation_key": "fp|f013c665416afc23e2b7bb90355706bcd2347814f3fd1fcedf2b3f4e40ef41ee", "current_version": "^6.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `nyc` is 1 major version(s) behind (^17.1.0 -> 18.0.0)"}, "properties": {"repobilityId": 75388, "scanner": "repobility-dependency-currency", "fingerprint": "4a05ea2d23b8b7f13b93d896376c31bb14b19e0ab60621e3ed196b940be5c57b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nyc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.0", "correlation_key": "fp|4a05ea2d23b8b7f13b93d896376c31bb14b19e0ab60621e3ed196b940be5c57b", "current_version": "^17.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `marked` is 3 major version(s) behind (^15.0.3 -> 18.0.5)"}, "properties": {"repobilityId": 75386, "scanner": "repobility-dependency-currency", "fingerprint": "834cef452f5088f1e01d512b7c99fa3f92c5a12b8de192f339e1813c71f34643", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "marked", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.5", "correlation_key": "fp|834cef452f5088f1e01d512b7c99fa3f92c5a12b8de192f339e1813c71f34643", "current_version": "^15.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `ejs` is 3 major version(s) behind (^3.1.10 -> 6.0.1)"}, "properties": {"repobilityId": 75383, "scanner": "repobility-dependency-currency", "fingerprint": "60f9db7e3a4bfd35bf22237021e3c4f2f4221f83055564e3ec6aabb93ffcbc70", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ejs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.1", "correlation_key": "fp|60f9db7e3a4bfd35bf22237021e3c4f2f4221f83055564e3ec6aabb93ffcbc70", "current_version": "^3.1.10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `connect-redis` is 1 major version(s) behind (^8.0.1 -> 9.0.0)"}, "properties": {"repobilityId": 75382, "scanner": "repobility-dependency-currency", "fingerprint": "ca294b945a7ca290ca7b445e10fb391c882ad24a2a78d370d0853a063bde3093", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "connect-redis", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.0", "correlation_key": "fp|ca294b945a7ca290ca7b445e10fb391c882ad24a2a78d370d0853a063bde3093", "current_version": "^8.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cookie` is 1 major version(s) behind (^0.7.1 -> 1.1.1)"}, "properties": {"repobilityId": 75371, "scanner": "repobility-dependency-currency", "fingerprint": "a505241edaab931c35e61f6e8f4943e8a29ea53f464c4f716aff0cc8bcb33160", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cookie", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.1.1", "correlation_key": "fp|a505241edaab931c35e61f6e8f4943e8a29ea53f464c4f716aff0cc8bcb33160", "current_version": "^0.7.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `content-type` is 1 major version(s) behind (^1.0.5 -> 2.0.0)"}, "properties": {"repobilityId": 75370, "scanner": "repobility-dependency-currency", "fingerprint": "bd414d1eeee661258ca073f28855e7e63e660938bee32c2a462782be53ba248b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "content-type", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.0", "correlation_key": "fp|bd414d1eeee661258ca073f28855e7e63e660938bee32c2a462782be53ba248b", "current_version": "^1.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `content-disposition` is 1 major version(s) behind (^1.0.0 -> 2.0.1)"}, "properties": {"repobilityId": 75369, "scanner": "repobility-dependency-currency", "fingerprint": "36125a14b93eba1321b31fd2a3f8110ad63abc9d1b7076705da2a606a8d672f8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "content-disposition", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.1", "correlation_key": "fp|36125a14b93eba1321b31fd2a3f8110ad63abc9d1b7076705da2a606a8d672f8", "current_version": "^1.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 75400, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `morgan` is minor version(s) behind (1.10.1 -> 1.11.0)"}, "properties": {"repobilityId": 75387, "scanner": "repobility-dependency-currency", "fingerprint": "9b2e530b6a9fca8fa2e21f283289621ae527827a0cfccb1a44071f299164591d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "morgan", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.11.0", "correlation_key": "fp|9b2e530b6a9fca8fa2e21f283289621ae527827a0cfccb1a44071f299164591d", "current_version": "1.10.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `express-session` is minor version(s) behind (^1.18.1 -> 1.19.0)"}, "properties": {"repobilityId": 75384, "scanner": "repobility-dependency-currency", "fingerprint": "9c72e01e132247cd19305d30fc9dfca13537035d4a524db7aa0411bc68396b16", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express-session", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.19.0", "correlation_key": "fp|9c72e01e132247cd19305d30fc9dfca13537035d4a524db7aa0411bc68396b16", "current_version": "^1.18.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `type-is` is minor version(s) behind (^2.0.1 -> 2.1.0)"}, "properties": {"repobilityId": 75381, "scanner": "repobility-dependency-currency", "fingerprint": "0475f33e6eb62c608c699ef789ea1105771d43239b8aee4b07efe367f8d202a2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "type-is", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.1.0", "correlation_key": "fp|0475f33e6eb62c608c699ef789ea1105771d43239b8aee4b07efe367f8d202a2", "current_version": "^2.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `send` is minor version(s) behind (^1.1.0 -> 1.2.1)"}, "properties": {"repobilityId": 75378, "scanner": "repobility-dependency-currency", "fingerprint": "0d1e24f15e077505eaee28385262c477ce74a2af1c6ca6b240545dede318cc2a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "send", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.1", "correlation_key": "fp|0d1e24f15e077505eaee28385262c477ce74a2af1c6ca6b240545dede318cc2a", "current_version": "^1.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `qs` is minor version(s) behind (^6.14.2 -> 6.15.2)"}, "properties": {"repobilityId": 75377, "scanner": "repobility-dependency-currency", "fingerprint": "c89cb64c5127163c74ae4733b78408e1363dd281ba00a75f357c326ef5a4a2af", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "qs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.15.2", "correlation_key": "fp|c89cb64c5127163c74ae4733b78408e1363dd281ba00a75f357c326ef5a4a2af", "current_version": "^6.14.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75342, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dea0ce767a3a263df1371cbff0d14b1f07ce3bf3e8cea1507715cf8d510612ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/res.download.js", "duplicate_line": 104, "correlation_key": "fp|dea0ce767a3a263df1371cbff0d14b1f07ce3bf3e8cea1507715cf8d510612ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/res.sendFile.js"}, "region": {"startLine": 258}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75341, "scanner": "repobility-ai-code-hygiene", "fingerprint": "239038d36662996fee3dd0ae9c99bfe76d3c7ff82515bc30ab6f5e2b12f5ad81", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/res.json.js", "duplicate_line": 121, "correlation_key": "fp|239038d36662996fee3dd0ae9c99bfe76d3c7ff82515bc30ab6f5e2b12f5ad81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/res.jsonp.js"}, "region": {"startLine": 234}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75340, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de35c526c4c1e8a168e6bc3caaa4f07099396e139c5c24e305f59507d697ffa2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/express.raw.js", "duplicate_line": 317, "correlation_key": "fp|de35c526c4c1e8a168e6bc3caaa4f07099396e139c5c24e305f59507d697ffa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.urlencoded.js"}, "region": {"startLine": 554}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75339, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e8a25f8ed3435267dc693180eb8f802a8d9134d0ad5d8f786a83a459289c958", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/express.text.js", "duplicate_line": 264, "correlation_key": "fp|5e8a25f8ed3435267dc693180eb8f802a8d9134d0ad5d8f786a83a459289c958"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.urlencoded.js"}, "region": {"startLine": 461}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75338, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c9a659bf421cd618ff983be694a53cb43299170e56be7c39aad2723a454682b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/express.json.js", "duplicate_line": 320, "correlation_key": "fp|c9a659bf421cd618ff983be694a53cb43299170e56be7c39aad2723a454682b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.urlencoded.js"}, "region": {"startLine": 433}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75337, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d157a5cfff13c2dc02c7221cc28fa07dea800dc8c1878af7fd87a861e709d274", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/express.raw.js", "duplicate_line": 224, "correlation_key": "fp|d157a5cfff13c2dc02c7221cc28fa07dea800dc8c1878af7fd87a861e709d274"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.text.js"}, "region": {"startLine": 239}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75336, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f17562f69ce8f18177996cbf2f25957132873b8ca0bdfcedb00dd6a2a287068", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/express.json.js", "duplicate_line": 321, "correlation_key": "fp|4f17562f69ce8f18177996cbf2f25957132873b8ca0bdfcedb00dd6a2a287068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.text.js"}, "region": {"startLine": 237}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75335, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb85172be2448c41fa16527c38a2bec5cbfaf3e46ac56ab30a5a39fe682b31fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/express.json.js", "duplicate_line": 321, "correlation_key": "fp|fb85172be2448c41fa16527c38a2bec5cbfaf3e46ac56ab30a5a39fe682b31fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.raw.js"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 75393, "scanner": "repobility-threat-engine", "fingerprint": "6c343569363dd0a3833bf7122ebe77c77c7fe0326e0e996e6706685c8f85b729", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6c343569363dd0a3833bf7122ebe77c77c7fe0326e0e996e6706685c8f85b729", "aggregated_count": 23}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 75392, "scanner": "repobility-threat-engine", "fingerprint": "815b5c8afa2fe0c714172ee1b9f82cbe5f508af27691799064f39da3a9947d2a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|815b5c8afa2fe0c714172ee1b9f82cbe5f508af27691799064f39da3a9947d2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/cookie-sessions/index.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 75391, "scanner": "repobility-threat-engine", "fingerprint": "b084828d30f116e213416575693e7ce13944aa409ace3fcad8d8991264ff3bab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b084828d30f116e213416575693e7ce13944aa409ace3fcad8d8991264ff3bab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/content-negotiation/index.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 75390, "scanner": "repobility-threat-engine", "fingerprint": "ddd406e8e7d82578f5daba3986af83b6cbbef39feea0a6613adad4a81bc440ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ddd406e8e7d82578f5daba3986af83b6cbbef39feea0a6613adad4a81bc440ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/auth/index.js"}, "region": {"startLine": 61}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `hbs` is patch version(s) behind (4.2.0 -> 4.2.1)"}, "properties": {"repobilityId": 75385, "scanner": "repobility-dependency-currency", "fingerprint": "e375982ee1c883285adec11e61c5d33c74b7a52c1dfbda8a064d5ff14d696685", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "hbs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.1", "correlation_key": "fp|e375982ee1c883285adec11e61c5d33c74b7a52c1dfbda8a064d5ff14d696685", "current_version": "4.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `statuses` is patch version(s) behind (^2.0.1 -> 2.0.2)"}, "properties": {"repobilityId": 75380, "scanner": "repobility-dependency-currency", "fingerprint": "61ad4e3f01276038dc625b962f1e72cce610813e48e611bf6cf29c84cd232e4c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "statuses", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.2", "correlation_key": "fp|61ad4e3f01276038dc625b962f1e72cce610813e48e611bf6cf29c84cd232e4c", "current_version": "^2.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `serve-static` is patch version(s) behind (^2.2.0 -> 2.2.1)"}, "properties": {"repobilityId": 75379, "scanner": "repobility-dependency-currency", "fingerprint": "e63961c805ac35e6941a8be0dd0cef95131c46fcc4ecbbb3eb675c95b815969c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "serve-static", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.2.1", "correlation_key": "fp|e63961c805ac35e6941a8be0dd0cef95131c46fcc4ecbbb3eb675c95b815969c", "current_version": "^2.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `mime-types` is patch version(s) behind (^3.0.0 -> 3.0.2)"}, "properties": {"repobilityId": 75376, "scanner": "repobility-dependency-currency", "fingerprint": "db4db8608e4e10cd6f5a81680cd642c695fbd527ff85d0bf0529ac97fd08b01c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mime-types", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.2", "correlation_key": "fp|db4db8608e4e10cd6f5a81680cd642c695fbd527ff85d0bf0529ac97fd08b01c", "current_version": "^3.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `http-errors` is patch version(s) behind (^2.0.0 -> 2.0.1)"}, "properties": {"repobilityId": 75375, "scanner": "repobility-dependency-currency", "fingerprint": "8cef5db47ff4f58b532c94239c0d4037960cafe4d91d5cc99ca29d803e59317a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "http-errors", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.1", "correlation_key": "fp|8cef5db47ff4f58b532c94239c0d4037960cafe4d91d5cc99ca29d803e59317a", "current_version": "^2.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `finalhandler` is patch version(s) behind (^2.1.0 -> 2.1.1)"}, "properties": {"repobilityId": 75374, "scanner": "repobility-dependency-currency", "fingerprint": "0bec75eb9821ce75de7febc4f9578c0a3dedefae5b04c117bf20faedbab96252", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "finalhandler", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.1.1", "correlation_key": "fp|0bec75eb9821ce75de7febc4f9578c0a3dedefae5b04c117bf20faedbab96252", "current_version": "^2.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `debug` is patch version(s) behind (^4.4.0 -> 4.4.3)"}, "properties": {"repobilityId": 75373, "scanner": "repobility-dependency-currency", "fingerprint": "8e98f8439c9d795c5cbc91e746874f9c5a485750d3bcd1664c85e1425a8dbe56", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "debug", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.4.3", "correlation_key": "fp|8e98f8439c9d795c5cbc91e746874f9c5a485750d3bcd1664c85e1425a8dbe56", "current_version": "^4.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `cookie-signature` is patch version(s) behind (^1.2.1 -> 1.2.2)"}, "properties": {"repobilityId": 75372, "scanner": "repobility-dependency-currency", "fingerprint": "d5e7112b792318f3472ef0d87fb7b4edacde5f5af434aa34fe0bef5dbb818a93", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cookie-signature", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.2", "correlation_key": "fp|d5e7112b792318f3472ef0d87fb7b4edacde5f5af434aa34fe0bef5dbb818a93", "current_version": "^1.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `body-parser` is patch version(s) behind (^2.2.1 -> 2.2.2)"}, "properties": {"repobilityId": 75368, "scanner": "repobility-dependency-currency", "fingerprint": "88ad663090a8805d68bfa83d61bb22a2332055bb3b2f58d69cf70aa85e6b3ba4", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "body-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.2.2", "correlation_key": "fp|88ad663090a8805d68bfa83d61bb22a2332055bb3b2f58d69cf70aa85e6b3ba4", "current_version": "^2.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /user/:uid/photos/:file."}, "properties": {"repobilityId": 75399, "scanner": "repobility-access-control", "fingerprint": "e5fe1fcec92fb72600aaabd773bb1599a9c9f0d48596ca6525c219b37f07db87", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/user/:uid/photos/:file", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|lib/response.js|355|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/response.js"}, "region": {"startLine": 355}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 75395, "scanner": "repobility-threat-engine", "fingerprint": "238170e12fb8a19201001f0d0c1916c9b205638e7527d1c77fb48937ae32b9ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "obj.destroy(req, res, id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|238170e12fb8a19201001f0d0c1916c9b205638e7527d1c77fb48937ae32b9ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/resource/index.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /user/:id has no auth"}, "properties": {"repobilityId": 75367, "scanner": "repobility-route-auth", "fingerprint": "1a077ac3aefee6d968edc9b782cfd228e9454da878330695e7dbb554ece10a81", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1a077ac3aefee6d968edc9b782cfd228e9454da878330695e7dbb554ece10a81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/route-middleware/index.js"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75366, "scanner": "repobility-route-auth", "fingerprint": "3f10ae9007b97b94259a2a18d3a49ae8684d3fc488a6224f6fd552ae70a6f0db", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3f10ae9007b97b94259a2a18d3a49ae8684d3fc488a6224f6fd552ae70a6f0db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.json.js"}, "region": {"startLine": 735}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75365, "scanner": "repobility-route-auth", "fingerprint": "496aba5f5a121956997455070819d6ae93c53843521753e80f2781056a1423e0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|496aba5f5a121956997455070819d6ae93c53843521753e80f2781056a1423e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.json.js"}, "region": {"startLine": 536}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75364, "scanner": "repobility-route-auth", "fingerprint": "2d4335799645a3b290d6b9884232a0a2703c4bd763979ff041c3b2395eac0f52", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2d4335799645a3b290d6b9884232a0a2703c4bd763979ff041c3b2395eac0f52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.json.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75363, "scanner": "repobility-route-auth", "fingerprint": "0ca285ae15ad87ba2c7ce741123fb72e1206c9811454892455dc08d2aa52e3cf", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0ca285ae15ad87ba2c7ce741123fb72e1206c9811454892455dc08d2aa52e3cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.json.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE / has no auth"}, "properties": {"repobilityId": 75362, "scanner": "repobility-route-auth", "fingerprint": "eec054960d73c9304cee5b79fb0fe1bce9fd95f60058dd373316cbace726527e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|eec054960d73c9304cee5b79fb0fe1bce9fd95f60058dd373316cbace726527e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/app.router.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75361, "scanner": "repobility-route-auth", "fingerprint": "8611a10e88a9c34cd67da196b7b56737b77cc239a15c494e55ba85e1d10621a6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8611a10e88a9c34cd67da196b7b56737b77cc239a15c494e55ba85e1d10621a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.text.js"}, "region": {"startLine": 561}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75360, "scanner": "repobility-route-auth", "fingerprint": "63c4e8718424845fdbd4f504f96268b96ee51fae757b955643e92f00357816fe", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|63c4e8718424845fdbd4f504f96268b96ee51fae757b955643e92f00357816fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.text.js"}, "region": {"startLine": 393}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75359, "scanner": "repobility-route-auth", "fingerprint": "9fab51c74af6f6f0593fe355f8b05cc52a086b6ef6cc994ec5e6ea539b61185a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9fab51c74af6f6f0593fe355f8b05cc52a086b6ef6cc994ec5e6ea539b61185a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.text.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75358, "scanner": "repobility-route-auth", "fingerprint": "ac3dea55b4b4b168d3ee3ea455711f2671bc4efe686eeb1021f1358b6a3b8da1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ac3dea55b4b4b168d3ee3ea455711f2671bc4efe686eeb1021f1358b6a3b8da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.text.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /users has no auth"}, "properties": {"repobilityId": 75357, "scanner": "repobility-route-auth", "fingerprint": "0cabee418d5908625f1ef577e6d82fe86683b3b7b837562e81f3e4a7a3739cac", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0cabee418d5908625f1ef577e6d82fe86683b3b7b837562e81f3e4a7a3739cac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/app.options.js"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /users has no auth"}, "properties": {"repobilityId": 75356, "scanner": "repobility-route-auth", "fingerprint": "52893d7ac145bc11a7feacf5d7b283531b54f04d59050ea497115bc2615332a7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|52893d7ac145bc11a7feacf5d7b283531b54f04d59050ea497115bc2615332a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/app.options.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /users has no auth"}, "properties": {"repobilityId": 75355, "scanner": "repobility-route-auth", "fingerprint": "159a451b8db1f9b17906b8dd64ded83855f416e604977e92e29058393dcaca87", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|159a451b8db1f9b17906b8dd64ded83855f416e604977e92e29058393dcaca87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/app.options.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE / has no auth"}, "properties": {"repobilityId": 75354, "scanner": "repobility-route-auth", "fingerprint": "45545e943267cd0b073fd02ef9b2f2955eb3693403b26913f93deba227494a23", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|45545e943267cd0b073fd02ef9b2f2955eb3693403b26913f93deba227494a23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/app.options.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /users has no auth"}, "properties": {"repobilityId": 75353, "scanner": "repobility-route-auth", "fingerprint": "b4b053101ac8508a0b13645b25305059e60b8b3694bca006443afe5ad17fc321", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b4b053101ac8508a0b13645b25305059e60b8b3694bca006443afe5ad17fc321"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/app.options.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75352, "scanner": "repobility-route-auth", "fingerprint": "e872c9b74b04e0b453b9701e3ef2c3828fcd8cfbfeec7ab345205c61d27f074a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e872c9b74b04e0b453b9701e3ef2c3828fcd8cfbfeec7ab345205c61d27f074a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/app.options.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /:user has no auth"}, "properties": {"repobilityId": 75351, "scanner": "repobility-route-auth", "fingerprint": "7da0bf541aa5088263a52b5c56b4714d059b4cb7fd6d14e541331498ca5c64c9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7da0bf541aa5088263a52b5c56b4714d059b4cb7fd6d14e541331498ca5c64c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/app.param.js"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75350, "scanner": "repobility-route-auth", "fingerprint": "cc597ee483901ce21a1a40402bf811ef16f8fc8129a12aca23c7fa5fc1df4b6f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cc597ee483901ce21a1a40402bf811ef16f8fc8129a12aca23c7fa5fc1df4b6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.urlencoded.js"}, "region": {"startLine": 817}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75349, "scanner": "repobility-route-auth", "fingerprint": "4d23056a85145a292d060a6a0439b3d1ca4b2ab97b78026b617e7d18fe8ac297", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4d23056a85145a292d060a6a0439b3d1ca4b2ab97b78026b617e7d18fe8ac297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.urlencoded.js"}, "region": {"startLine": 639}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75348, "scanner": "repobility-route-auth", "fingerprint": "eaee1ae87dbca1c1c8fdff655f1569adb555b29d02c37e09103a361588eea7c1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|eaee1ae87dbca1c1c8fdff655f1569adb555b29d02c37e09103a361588eea7c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.urlencoded.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75347, "scanner": "repobility-route-auth", "fingerprint": "bc15e32e9a820331dfe217b3ff91a2ee8d1f35f45eb2cf4198f4796b32997582", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|bc15e32e9a820331dfe217b3ff91a2ee8d1f35f45eb2cf4198f4796b32997582"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.urlencoded.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75346, "scanner": "repobility-route-auth", "fingerprint": "79885f262036f899a0614b7fd0aaf85f70769446227788272b6c766d1ac29f1c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|79885f262036f899a0614b7fd0aaf85f70769446227788272b6c766d1ac29f1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.raw.js"}, "region": {"startLine": 504}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75345, "scanner": "repobility-route-auth", "fingerprint": "68dfe114e61f81b6bf12dec0833e50231a24ad70de49ab96a57568eafc9d20b8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|68dfe114e61f81b6bf12dec0833e50231a24ad70de49ab96a57568eafc9d20b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.raw.js"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75344, "scanner": "repobility-route-auth", "fingerprint": "6ebd24a1521cee8ed60089ae6f90523611ee6086ae520a53f81615b289187e52", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6ebd24a1521cee8ed60089ae6f90523611ee6086ae520a53f81615b289187e52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.raw.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 75343, "scanner": "repobility-route-auth", "fingerprint": "ac89397237e72b7f515e80bcd173753096e2824d36a6dfe50b18f15c8ab29b18", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ac89397237e72b7f515e80bcd173753096e2824d36a6dfe50b18f15c8ab29b18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/express.raw.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 75394, "scanner": "repobility-threat-engine", "fingerprint": "e274c71659e9b20fd13d2e5999723883d98bfe22dcb09a50ba0a49ece5b988bb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e274c71659e9b20fd13d2e5999723883d98bfe22dcb09a50ba0a49ece5b988bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/content-negotiation/index.js"}, "region": {"startLine": 34}}}]}]}]}