{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /de"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /#{1+2+3}."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC107", "name": "[SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (R", "shortDescription": {"text": "[SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (RFC 8996). Most browsers no longer support them. Code requesting these protocols is talking to an attacker-controllable d"}, "fullDescription": {"text": "Use TLSv1.2 minimum, TLSv1.3 preferred. Java: `SSLContext.getInstance(\"TLSv1.2\")`. Python: `ssl.PROTOCOL_TLS_CLIENT` + `MinimumVersion = TLSVersion.TLSv1_2`. Go: `MinVersion: tls.VersionTLS12`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC105", "name": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted ove", "shortDescription": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "fullDescription": {"text": "Always set HttpOnly=true, Secure=true (in production), SameSite=Lax or Strict. For Express: `res.cookie(name, val, { httpOnly: true, secure: true, sameSite: 'lax' })`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED093", "name": "[MINED093] Java Sql Statement Concat: Statement.executeQuery with concat string = SQL injection.", "shortDescription": {"text": "[MINED093] Java Sql Statement Concat: Statement.executeQuery with concat string = SQL injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-89 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED083] Java Thread Start (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED092", "name": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection.", "shortDescription": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.", "shortDescription": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED053] Placeholder Default Username (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED081] Java Printstacktrace (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 38 more): Same pattern found in 38 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `java-frontend/src/test/files/classpath/bin/LambdaExpressions.class` committed in source repo: `j", "shortDescription": {"text": "[MINED134] Binary file `java-frontend/src/test/files/classpath/bin/LambdaExpressions.class` committed in source repo: `java-frontend/src/test/files/classpath/bin/LambdaExpressions.class` is a .class binary (2,459 bytes) committed to a repo "}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `SonarSource/ci-github-actions/config-maven` pinned to mutable ref `@v1`: `uses: SonarSource/ci-github", "shortDescription": {"text": "[MINED115] Action `SonarSource/ci-github-actions/config-maven` pinned to mutable ref `@v1`: `uses: SonarSource/ci-github-actions/config-maven@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that ma"}, "fullDescription": {"text": "Replace with: `uses: SonarSource/ci-github-actions/config-maven@<40-char-sha>  # v1` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC106", "name": "[SEC106] Block cipher in ECB mode (AES/DES/Blowfish): ECB mode leaks block-level structure \u2014 identical plaintext blocks ", "shortDescription": {"text": "[SEC106] Block cipher in ECB mode (AES/DES/Blowfish): ECB mode leaks block-level structure \u2014 identical plaintext blocks encrypt to identical ciphertext (the famous Tux image). Bare `Cipher.getInstance(\"AES\")` defaults to ECB on most JVMs."}, "fullDescription": {"text": "Use GCM (recommended): `Cipher.getInstance(\"AES/GCM/NoPadding\")`. Or CBC with HMAC. Always pass an explicit IV; never reuse it for GCM."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC102", "name": "[SEC102] Jackson default typing / polymorphic deserialization enabled: Jackson with default typing enabled allows attack", "shortDescription": {"text": "[SEC102] Jackson default typing / polymorphic deserialization enabled: Jackson with default typing enabled allows attacker-supplied JSON to instantiate arbitrary classes. Pattern behind many SpringBoot RCEs."}, "fullDescription": {"text": "Disable default typing. If polymorphism is needed, use JsonTypeInfo.Id.NAME with explicit @JsonSubTypes annotations or PolymorphicTypeValidator. Never use Id.CLASS or Id.MINIMAL_CLASS."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC030", "name": "[SEC030] Open Redirect \u2014 user-controlled redirect target: Redirect target is taken directly from user input without vali", "shortDescription": {"text": "[SEC030] Open Redirect \u2014 user-controlled redirect target: Redirect target is taken directly from user input without validating that the destination is local to the site. Attackers craft phishing URLs that appear to come from your domain but"}, "fullDescription": {"text": "Validate the redirect URL against an allowlist of safe destinations:\n  # Django:\n  from django.utils.http import url_has_allowed_host_and_scheme\n  if not url_has_allowed_host_and_scheme(url, allowed_hosts={request.get_host()}):\n      url = '/'  # safe default\nOr restrict to relative paths only: `if not url.startswith('/'): abort(400)`. Never accept external schemes without verification."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED007", "name": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection.", "shortDescription": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC051", "name": "[SEC051] Stripe live/test key: Stripe API key (live or test). Live keys can charge real cards. Ported from gitleaks stri", "shortDescription": {"text": "[SEC051] Stripe live/test key: Stripe API key (live or test). Live keys can charge real cards. Ported from gitleaks stripe-access-token (MIT)."}, "fullDescription": {"text": "Roll the key in Stripe Dashboard immediately. If a live key was committed, audit Stripe events for unauthorized charges."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1005"}, "properties": {"repository": "SonarSource/sonar-java", "repoUrl": "https://github.com/SonarSource/sonar-java", "branch": "master"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 94163, "scanner": "repobility-journey-contract", "fingerprint": "5c37a5488674fc6f835d9cbee96c64982639e9d4ef5eeb57bddd5d7c71d2c8a9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/order/{param}/{param}", "correlation_key": "fp|5c37a5488674fc6f835d9cbee96c64982639e9d4ef5eeb57bddd5d7c71d2c8a9", "backend_endpoint_count": 122}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6856.html"}, "region": {"startLine": 113}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 94162, "scanner": "repobility-journey-contract", "fingerprint": "72303daa0948d2efa6132d049b1cbcb3f638bc3a16edebe9b11ef561f39e6b7c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/order/{param}/{param}", "correlation_key": "fp|72303daa0948d2efa6132d049b1cbcb3f638bc3a16edebe9b11ef561f39e6b7c", "backend_endpoint_count": 122}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6856.html"}, "region": {"startLine": 103}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 94161, "scanner": "repobility-journey-contract", "fingerprint": "737ef02e4a2bf3c69146ab22d7b14308d4343c2ace96ef70cdd11520123109aa", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/asset/{param}", "correlation_key": "fp|737ef02e4a2bf3c69146ab22d7b14308d4343c2ace96ef70cdd11520123109aa", "backend_endpoint_count": 122}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6856.html"}, "region": {"startLine": 37}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 94160, "scanner": "repobility-journey-contract", "fingerprint": "387de486fb2db935755ef9aff68513e4a6d1bb3fb24596bd632869223dfe2345", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/resource/{param}", "correlation_key": "fp|387de486fb2db935755ef9aff68513e4a6d1bb3fb24596bd632869223dfe2345", "backend_endpoint_count": 122}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6856.html"}, "region": {"startLine": 32}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 94159, "scanner": "repobility-journey-contract", "fingerprint": "0b1e1b5244f8ba53998442fe628f08be141fd01c2d883f2d752e2b777c85981a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/asset", "correlation_key": "fp|0b1e1b5244f8ba53998442fe628f08be141fd01c2d883f2d752e2b777c85981a", "backend_endpoint_count": 122}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6856.html"}, "region": {"startLine": 25}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 94158, "scanner": "repobility-journey-contract", "fingerprint": "c122fa50da4a1203c086ff1aea6397d3b5db64f54ba0e4d644929481888e7170", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/resource/{param}", "correlation_key": "fp|c122fa50da4a1203c086ff1aea6397d3b5db64f54ba0e4d644929481888e7170", "backend_endpoint_count": 122}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6856.html"}, "region": {"startLine": 20}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 94157, "scanner": "repobility-journey-contract", "fingerprint": "2cee7a6333c4396cb92808931365b4180209f0a6061af2e9a587ac36b4d41eda", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/resource/{param}", "correlation_key": "fp|2cee7a6333c4396cb92808931365b4180209f0a6061af2e9a587ac36b4d41eda", "backend_endpoint_count": 122}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S6856.html"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /delete."}, "properties": {"repobilityId": 94156, "scanner": "repobility-access-control", "fingerprint": "c1418c32a0870ccee61f57580c50a5ea5346c4c9d034ad439b850f04c477770e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/delete", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|77|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/spring/SpringRequestMappingMethodCheckSample.java"}, "region": {"startLine": 77}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /put."}, "properties": {"repobilityId": 94155, "scanner": "repobility-access-control", "fingerprint": "bdd603e280d5f23d2b45a3c4f5de7a5e0fd94b1aac3b5869c56c4188bfbdd836", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/put", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|72|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/spring/SpringRequestMappingMethodCheckSample.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /#{1+2+3}."}, "properties": {"repobilityId": 94154, "scanner": "repobility-access-control", "fingerprint": "45c24a460bbd439f59155ed627d3d9a3c1ce7568c93140eadcce02d1909a70b2", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/#{1+2+3}", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|202|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/spring/SpelExpressionCheckSample.java"}, "region": {"startLine": 202}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 94152, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 94118, "scanner": "repobility-threat-engine", "fingerprint": "631a2b189a684adddadcf925446a395cca5b45e9b1217133e4f2975729fbb927", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (0.9 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (0.9 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/EmptyDatabasePasswordCheckVariables.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 94116, "scanner": "repobility-threat-engine", "fingerprint": "bc4751152481c1a2c630db1308267d5a309c41463bf194c85245b5e797ee5f3d", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (1.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>\"", "reason": "Low entropy value (1.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/AndroidMobileDatabaseEncryptionKeysCheckSample.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 94115, "scanner": "repobility-threat-engine", "fingerprint": "4aba7d7f90ce399bfefdb510b6735f3a47b31627166d6ecd37ea53da9e61453b", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Pattern.compile(\"The import ([$\\\\w]++(\\\\.[$\\\\w]++)*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4aba7d7f90ce399bfefdb510b6735f3a47b31627166d6ecd37ea53da9e61453b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks/src/main/java/org/sonar/java/checks/UselessImportCheck.java"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 94114, "scanner": "repobility-threat-engine", "fingerprint": "92b511640519b7be0aa0eb4032a097079088db4648a37bf2f589bb71e7239cbd", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Pattern.compile(\"(a|b)*\"), // Noncompliant {{Refactor this repetition that can lead to a stack overf", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92b511640519b7be0aa0eb4032a097079088db4648a37bf2f589bb71e7239cbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/regex/RegexStackOverflowCheckWithHighStackConsumption.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 94113, "scanner": "repobility-threat-engine", "fingerprint": "fa8f5c6f5d95a7eb304cbc294f0460b2eab326dc6fb280704238ed6a9fa57262", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Pattern.compile(\"a*\"),\n    Pattern.compile(\"(a)*\"),\n    Pattern.compile(\"((?i)a)*\"),\n    Pattern.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fa8f5c6f5d95a7eb304cbc294f0460b2eab326dc6fb280704238ed6a9fa57262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/regex/RegexStackOverflowCheckWithConstantStackConsumption.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC107", "level": "warning", "message": {"text": "[SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (RFC 8996). Most browsers no longer support them. Code requesting these protocols is talking to an attacker-controllable downgrade target."}, "properties": {"repobilityId": 94112, "scanner": "repobility-threat-engine", "fingerprint": "068c06adbb435c5aa4f316f46a069c306f0fb05d57d22b75eaf71060de3776c6", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SSLContext.getInstance(\"SSL\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC107", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|12|sec107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/WeakSSLContextCheckJava8.java"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC107", "level": "warning", "message": {"text": "[SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (RFC 8996). Most browsers no longer support them. Code requesting these protocols is talking to an attacker-controllable downgrade target."}, "properties": {"repobilityId": 94111, "scanner": "repobility-threat-engine", "fingerprint": "9ee394ba5750287d8590d95f14d6afd423041621af2c0b59c7d87688acc06543", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SSLContext.getInstance(\"SSL\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC107", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|19|sec107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/WeakSSLContextCheck.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 94107, "scanner": "repobility-threat-engine", "fingerprint": "d5325463a4b35bbc2ebbba1319af898e3694bbb30207efa12dc3c618acffbe9f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ive()'.}}\n//                 ^^^^^^^\n    public double getSize() { return Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5325463a4b35bbc2ebbba1319af898e3694bbb30207efa12dc3c618acffbe9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/RecordDuplicatedGetterCheckSample.java"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 94097, "scanner": "repobility-threat-engine", "fingerprint": "b1bfc71de843c8ae813787f8d66389f0dd62730fae933e611b03f10caf0242bf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1bfc71de843c8ae813787f8d66389f0dd62730fae933e611b03f10caf0242bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/files/non-compiling/checks/security/DebugFeatureEnabledCheckSample.java"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC105", "level": "warning", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "properties": {"repobilityId": 94095, "scanner": "repobility-threat-engine", "fingerprint": "103d3ab062d6be374b2a5ff032bc6831a5db93955d6951c753916535b820ac21", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".setSecure(false)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|103d3ab062d6be374b2a5ff032bc6831a5db93955d6951c753916535b820ac21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/SecureCookieCheckSample.java"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC105", "level": "warning", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "properties": {"repobilityId": 94094, "scanner": "repobility-threat-engine", "fingerprint": "3b70162f5d5ef5d7658df7c95dcc79a6f59f20705cd50232347fb4fbe2642bf8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".setSecure(false)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b70162f5d5ef5d7658df7c95dcc79a6f59f20705cd50232347fb4fbe2642bf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/SecureCookieCheckJakarta.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC105", "level": "warning", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "properties": {"repobilityId": 94093, "scanner": "repobility-threat-engine", "fingerprint": "b6bbacad46004e3a5fe542e941fd83b41aa32f7e0caa383dfd4f72544aface4f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".setHttpOnly(false)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6bbacad46004e3a5fe542e941fd83b41aa32f7e0caa383dfd4f72544aface4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/files/non-compiling/checks/security/CookieHttpOnlyCheck.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 94085, "scanner": "repobility-threat-engine", "fingerprint": "69e465a2a4744073ee6822d9df214b6ec36649a2aed90943394cfb81646180a0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|66|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks/src/main/java/org/sonar/java/checks/ForLoopFalseConditionCheck.java"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 94084, "scanner": "repobility-threat-engine", "fingerprint": "5d34a1879108bb33fdef04f18d6bf9740ceb12199bfbb5a31f53df645e501d77", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|56|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/FilePermissionsCheckSample.java"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 94083, "scanner": "repobility-threat-engine", "fingerprint": "8ca656ac075d66970e7ec2d280c3ff42b5193834f88bd000a490445b6a3a25d4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|19|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/files/non-compiling/checks/OSCommandsPath.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6482b64c1f83aaa775aecf224e0c50e33ddf26ce9f82803200e1c0cde1911439", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/OptionTag.java", "duplicate_line": 52, "correlation_key": "fp|6482b64c1f83aaa775aecf224e0c50e33ddf26ce9f82803200e1c0cde1911439"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/OptionsTag.java"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de901ab08292a94cbff8bf21bcf137fb6391f0ccf0180c5a3c3f37cb1455085e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/OptionsCollectionTag.java", "duplicate_line": 36, "correlation_key": "fp|de901ab08292a94cbff8bf21bcf137fb6391f0ccf0180c5a3c3f37cb1455085e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/OptionsTag.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94149, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e6b57b33fff5df6251bf13000e805554e67809981d80eccf51a44fe1ddf30bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/OptionTag.java", "duplicate_line": 52, "correlation_key": "fp|5e6b57b33fff5df6251bf13000e805554e67809981d80eccf51a44fe1ddf30bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/OptionsCollectionTag.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94148, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a3c6caa12c51986429ee438c8be2dbba7979345d32e2d1212436f51bbd64dedb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/FormTag.java", "duplicate_line": 131, "correlation_key": "fp|a3c6caa12c51986429ee438c8be2dbba7979345d32e2d1212436f51bbd64dedb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/OptionTag.java"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94147, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a895171755dfa007d0331c91381575f4047294843402c88a1c21f66f1cab6ccd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/BaseHandlerTag.java", "duplicate_line": 254, "correlation_key": "fp|a895171755dfa007d0331c91381575f4047294843402c88a1c21f66f1cab6ccd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/OptionTag.java"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94146, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c929cb8ba9e759ab183ca639efa7e98ab8e34653f6a0ba7d4d9efeb9bbff995b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/DefineTag.java", "duplicate_line": 28, "correlation_key": "fp|c929cb8ba9e759ab183ca639efa7e98ab8e34653f6a0ba7d4d9efeb9bbff995b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/MultiboxTag.java"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94145, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ecabff7b982053327eb51d24e019ba20105c988a2cc7b4793ac9fab71cf4dfe6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/CheckboxTag.java", "duplicate_line": 12, "correlation_key": "fp|ecabff7b982053327eb51d24e019ba20105c988a2cc7b4793ac9fab71cf4dfe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/MultiboxTag.java"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94144, "scanner": "repobility-ai-code-hygiene", "fingerprint": "160cd3d7536e802f8c7d4ed5a1446136bab916549e4f3d763b5187a2122af480", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/DefineTag.java", "duplicate_line": 27, "correlation_key": "fp|160cd3d7536e802f8c7d4ed5a1446136bab916549e4f3d763b5187a2122af480"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/MessagesTag.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "24172580812230f6d0b22014738bcb3c8da77316809044421b32f85e3711285c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/ErrorsTag.java", "duplicate_line": 22, "correlation_key": "fp|24172580812230f6d0b22014738bcb3c8da77316809044421b32f85e3711285c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/MessagesTag.java"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94142, "scanner": "repobility-ai-code-hygiene", "fingerprint": "897707cf53a6ab4e7ad7c9faa136e969a14a7bbd799b90c82f8dd693fde2831c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/DefineTag.java", "duplicate_line": 33, "correlation_key": "fp|897707cf53a6ab4e7ad7c9faa136e969a14a7bbd799b90c82f8dd693fde2831c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/LinkTag.java"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94141, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab14df236278de8fc198a2cb4f6e30c3539fe98d4ade101b81d1ecc85734003f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/ImgTag.java", "duplicate_line": 77, "correlation_key": "fp|ab14df236278de8fc198a2cb4f6e30c3539fe98d4ade101b81d1ecc85734003f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/LinkTag.java"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94140, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae07a636ab1b347b36a318920a7ea4b297db7b6b867199dc140b0aef18c6136d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/IncludeTag.java", "duplicate_line": 27, "correlation_key": "fp|ae07a636ab1b347b36a318920a7ea4b297db7b6b867199dc140b0aef18c6136d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/LinkTag.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94139, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bfe443bc8300136d95d4d8393b5470adf9e195dc899ee7cc2b98a2d505d80e17", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/DefineTag.java", "duplicate_line": 33, "correlation_key": "fp|bfe443bc8300136d95d4d8393b5470adf9e195dc899ee7cc2b98a2d505d80e17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/ImgTag.java"}, "region": {"startLine": 131}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94138, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea8321a125377b1fae03508a385151a7ba508fb1b867ae1276c921ca95905642", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/ImageTag.java", "duplicate_line": 20, "correlation_key": "fp|ea8321a125377b1fae03508a385151a7ba508fb1b867ae1276c921ca95905642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/ImgTag.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94137, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c2546a88cc9347f84f5e6ab2737c85720a02727622a0d4ed58d574309e19b09", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/BaseHandlerTag.java", "duplicate_line": 254, "correlation_key": "fp|4c2546a88cc9347f84f5e6ab2737c85720a02727622a0d4ed58d574309e19b09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/FormTag.java"}, "region": {"startLine": 129}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94136, "scanner": "repobility-ai-code-hygiene", "fingerprint": "016c8a98f2698bf149d0c202ebac6c41aae4d8b4297fe2f6610b6264fa0dc74a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/DefineTag.java", "duplicate_line": 27, "correlation_key": "fp|016c8a98f2698bf149d0c202ebac6c41aae4d8b4297fe2f6610b6264fa0dc74a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/ErrorsTag.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94135, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c310c2c35039f81d6c60adcf2526cacfb08cc945c7a517087538e02a29a4f0a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/BaseInputTag.java", "duplicate_line": 60, "correlation_key": "fp|c310c2c35039f81d6c60adcf2526cacfb08cc945c7a517087538e02a29a4f0a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/CheckboxTag.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94134, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8318daec8139e7f13c739656af2e20367ef7948e4f0ad48f9a0818014ecf83f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/DefineTag.java", "duplicate_line": 28, "correlation_key": "fp|8318daec8139e7f13c739656af2e20367ef7948e4f0ad48f9a0818014ecf83f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/CheckboxTag.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94133, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f2b2a079e9f717e44167d16ba3fca8e0638c61a0e89077b869d44d62f33ddad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/DefineTag.java", "duplicate_line": 27, "correlation_key": "fp|3f2b2a079e9f717e44167d16ba3fca8e0638c61a0e89077b869d44d62f33ddad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/WriteTag.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94132, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12fea62ef5ee8428f19e3dd844feae7d088463caca94af37f65987371bc41518", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/DefineTag.java", "duplicate_line": 22, "correlation_key": "fp|12fea62ef5ee8428f19e3dd844feae7d088463caca94af37f65987371bc41518"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/SizeTag.java"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94131, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f59568ee62e5cb026c8a273630a072a93dccadee752b3743bf6847af2b0bde65", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/HeaderTei.java", "duplicate_line": 6, "correlation_key": "fp|f59568ee62e5cb026c8a273630a072a93dccadee752b3743bf6847af2b0bde65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/ParameterTei.java"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94130, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38351f432367c840012cc9245047a4e9a5d0a8a9950d6fd67c1124d473e44559", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/CookieTag.java", "duplicate_line": 10, "correlation_key": "fp|38351f432367c840012cc9245047a4e9a5d0a8a9950d6fd67c1124d473e44559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/ParameterTag.java"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94129, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c30a3923567c03c690c380e38029c06fba0f537628b989e706108ba737a23d77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/DefineTag.java", "duplicate_line": 27, "correlation_key": "fp|c30a3923567c03c690c380e38029c06fba0f537628b989e706108ba737a23d77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/MessageTag.java"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94128, "scanner": "repobility-ai-code-hygiene", "fingerprint": "04908e1cd88c5869f8a4297be9f7ae8ca86c9bffee5c63f160a70a60bd133dec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/CookieTag.java", "duplicate_line": 10, "correlation_key": "fp|04908e1cd88c5869f8a4297be9f7ae8ca86c9bffee5c63f160a70a60bd133dec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/bean/HeaderTag.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94127, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f3a00d7c4831699d6c152b6f0cceafe8049afa72dc4c0a6d198be36bf3540308", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/util/RequestUtils.java", "duplicate_line": 402, "correlation_key": "fp|f3a00d7c4831699d6c152b6f0cceafe8049afa72dc4c0a6d198be36bf3540308"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/TagUtils.java"}, "region": {"startLine": 539}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94126, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f825a63e754f39b954b4e9e8d49673540600969de41bacb6420596bfdcb9b06", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/config/ConfigHelper.java", "duplicate_line": 151, "correlation_key": "fp|4f825a63e754f39b954b4e9e8d49673540600969de41bacb6420596bfdcb9b06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/TagUtils.java"}, "region": {"startLine": 344}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94125, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f633d096a976d122eeecccff2840238b78a1260e43dd8ac177cf61c24555cbf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/validator/DynaValidatorForm.java", "duplicate_line": 29, "correlation_key": "fp|3f633d096a976d122eeecccff2840238b78a1260e43dd8ac177cf61c24555cbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/validator/ValidatorForm.java"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94124, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bea31868349e285eb475590ced764ed5bf18aa3f18f413be22b68b34bd3a58c1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/config/ActionConfig.java", "duplicate_line": 81, "correlation_key": "fp|bea31868349e285eb475590ced764ed5bf18aa3f18f413be22b68b34bd3a58c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/config/ForwardConfig.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94123, "scanner": "repobility-ai-code-hygiene", "fingerprint": "209b184cc7dacaa9aafa76e4ff8a2c06376301393b1934892afd978af8b7ba3d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/config/ActionConfig.java", "duplicate_line": 81, "correlation_key": "fp|209b184cc7dacaa9aafa76e4ff8a2c06376301393b1934892afd978af8b7ba3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/config/ExceptionConfig.java"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 94122, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3a06257c2756818aea25d8ec11e29d30183f9213a119ef4a283d8692a0e91db", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/action/RequestProcessor.java", "duplicate_line": 322, "correlation_key": "fp|c3a06257c2756818aea25d8ec11e29d30183f9213a119ef4a283d8692a0e91db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/chain/ComposableRequestProcessor.java"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 94053, "scanner": "repobility-threat-engine", "fingerprint": "be7c262058ebd1196fceebec3ae7246b265b68f70586e74dfcdd3b82294f7770", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Both scope [\" + effectiveScope\n                + \"] and formName [\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|be7c262058ebd1196fceebec3ae7246b265b68f70586e74dfcdd3b82294f7770"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/chain/commands/generic/CopyFormToContext.java"}, "region": {"startLine": 215}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 94052, "scanner": "repobility-threat-engine", "fingerprint": "a616dbcbbf10eec07c80eeb726624404594ba0ef688d469d7305a3f6cf197c69", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"See if actionConfig \" + actionConfig\n                    + \" has an exceptionConfig for \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a616dbcbbf10eec07c80eeb726624404594ba0ef688d469d7305a3f6cf197c69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/chain/commands/AbstractExceptionHandler.java"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 94051, "scanner": "repobility-threat-engine", "fingerprint": "61de0724bdbe5dfec1e08b0df510571e17696bf379f2fed48a842fe31e6b088f", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"check-list/target/generated-sources/\" + CLASS_NAME + \".java\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61de0724bdbe5dfec1e08b0df510571e17696bf379f2fed48a842fe31e6b088f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "check-list/src/main/java/org/sonar/java/CheckListGenerator.java"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED093", "level": "none", "message": {"text": "[MINED093] Java Sql Statement Concat: Statement.executeQuery with concat string = SQL injection."}, "properties": {"repobilityId": 94108, "scanner": "repobility-threat-engine", "fingerprint": "abc26cb95102ea10d48ef6675adfe8318f43cde124d61c1a7ff3d42657564993", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-sql-statement-concat", "owasp": null, "cwe_ids": ["CWE-89"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348155+00:00", "triaged_in_corpus": 20, "observations_count": 136, "ai_coder_pattern_id": 129}, "scanner": "repobility-threat-engine", "correlation_key": "fp|abc26cb95102ea10d48ef6675adfe8318f43cde124d61c1a7ff3d42657564993"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/SQLInjection.java"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 94102, "scanner": "repobility-threat-engine", "fingerprint": "27726c21334ad29b712b747eeb41fff49f26ef3ea64b748034960b718a1c388d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27726c21334ad29b712b747eeb41fff49f26ef3ea64b748034960b718a1c388d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/IndentationCheckWithControlCharacters.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 94101, "scanner": "repobility-threat-engine", "fingerprint": "6b34f20db2847bb217b42a6945d07c856efd55938680665735ade2714bfefb58", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b34f20db2847bb217b42a6945d07c856efd55938680665735ade2714bfefb58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/ControlCharacterInLiteralCheckTabsAllowed.java"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 94100, "scanner": "repobility-threat-engine", "fingerprint": "d8c3bc8471c5892428f2675e75be620ce8def0a8732ccc6a02f05f9bd3207261", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8c3bc8471c5892428f2675e75be620ce8def0a8732ccc6a02f05f9bd3207261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/ControlCharacterInLiteralCheck.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 94098, "scanner": "repobility-threat-engine", "fingerprint": "d995c317c25de65e2ef1ec8c8124617ef8e392f2d4c7a32e70c36f832928acf2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d995c317c25de65e2ef1ec8c8124617ef8e392f2d4c7a32e70c36f832928acf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/files/non-compiling/checks/security/DebugFeatureEnabledCheckSample.java"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC105", "level": "none", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 94096, "scanner": "repobility-threat-engine", "fingerprint": "3f93adc1aa9d7d1ccaa86c8e63f7132af11b4d22d4e5724da4003a6c12758ccc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3f93adc1aa9d7d1ccaa86c8e63f7132af11b4d22d4e5724da4003a6c12758ccc"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 94092, "scanner": "repobility-threat-engine", "fingerprint": "59f9cd8d49d624e06d0357b8bd23b8f4d32c471b9979518195b139b9f3054721", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|59f9cd8d49d624e06d0357b8bd23b8f4d32c471b9979518195b139b9f3054721", "aggregated_count": 9}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 94091, "scanner": "repobility-threat-engine", "fingerprint": "7d8f7e5bfcd063d6dc2affd51efe6a6e45348a1390d4ec7f6488625ab34305dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7d8f7e5bfcd063d6dc2affd51efe6a6e45348a1390d4ec7f6488625ab34305dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/AssertsOnParametersOfPublicMethodCheckSample.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 94090, "scanner": "repobility-threat-engine", "fingerprint": "dda755f1b01c61094848320947b42dcfeabfa1761cede4859d767f33d48deb29", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dda755f1b01c61094848320947b42dcfeabfa1761cede4859d767f33d48deb29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/AnonymousClassShouldBeLambdaCheckSample.java"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 94089, "scanner": "repobility-threat-engine", "fingerprint": "a71357ef45d3449b3f326819269d62e403d7e8ad4693a7ebf2c12ad15c591c9c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a71357ef45d3449b3f326819269d62e403d7e8ad4693a7ebf2c12ad15c591c9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/files/non-compiling/checks/ThreadOverridesRunCheckSample.java"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 94088, "scanner": "repobility-threat-engine", "fingerprint": "92a2956a6d22c21e05f6fd952fd01a03152e766f15f33628415e3643e4b7e885", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92a2956a6d22c21e05f6fd952fd01a03152e766f15f33628415e3643e4b7e885"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/files/non-compiling/checks/OSCommandsPath.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 94082, "scanner": "repobility-threat-engine", "fingerprint": "5180af2670057b72d51626900c05aa21d7617f7dbadee5ba0ab1d8fc882ac358", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5180af2670057b72d51626900c05aa21d7617f7dbadee5ba0ab1d8fc882ac358"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/GarbageCollectorCalledCheckSample.java"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 94081, "scanner": "repobility-threat-engine", "fingerprint": "22fc5280a61019a83d3a1c824b3b75567ea46fc5220a42acab9d70026846c851", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22fc5280a61019a83d3a1c824b3b75567ea46fc5220a42acab9d70026846c851"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/DeadStoreCheckSample.java"}, "region": {"startLine": 334}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 94080, "scanner": "repobility-threat-engine", "fingerprint": "96c3533fbaecb2aac534bcd9f00adc52b67bbee0fee46f9c26bf9b45cc4ca7ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96c3533fbaecb2aac534bcd9f00adc52b67bbee0fee46f9c26bf9b45cc4ca7ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/files/non-compiling/checks/GarbageCollectorCalledCheckSample.java"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 94079, "scanner": "repobility-threat-engine", "fingerprint": "293253bbdac798036bab407ee3841d5d2dac0381dbd30cf3093f015ec5dee5dd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|293253bbdac798036bab407ee3841d5d2dac0381dbd30cf3093f015ec5dee5dd", "aggregated_count": 3}}}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 94078, "scanner": "repobility-threat-engine", "fingerprint": "478310993f6332bd678655af28cfe32d61b23f1f907fc7e4a8a86309f52476dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|478310993f6332bd678655af28cfe32d61b23f1f907fc7e4a8a86309f52476dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/S2638_ChangeMethodContractCheck/nullableApi/ChangeMethodContractCheck.java"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 94077, "scanner": "repobility-threat-engine", "fingerprint": "7932a66ce6fc60421df3709e126c538267e2d8f13b9624b78552da68e0ec4a9f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7932a66ce6fc60421df3709e126c538267e2d8f13b9624b78552da68e0ec4a9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/S2638_ChangeMethodContractCheck/nonNullApi/ChangeMethodContractCheck.java"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 94076, "scanner": "repobility-threat-engine", "fingerprint": "b756efb711cfec7a9caf730f61b8db39853f3bb933297b7260e125bb06404bcb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b756efb711cfec7a9caf730f61b8db39853f3bb933297b7260e125bb06404bcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/files/non-compiling/checks/ChangeMethodContractCheck.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 94075, "scanner": "repobility-threat-engine", "fingerprint": "3a529608c3032921ced580276e14d5bdc552ff7e4e67746d39139f2052dfb34e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3a529608c3032921ced580276e14d5bdc552ff7e4e67746d39139f2052dfb34e", "aggregated_count": 13}}}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 94074, "scanner": "repobility-threat-engine", "fingerprint": "4aa45272586a3f0a77c6242e4958e61520b60c27298982fd4f9451a4d2f4b78c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4aa45272586a3f0a77c6242e4958e61520b60c27298982fd4f9451a4d2f4b78c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/tiles/src/main/java/org/apache/struts/tiles/taglib/GetAttributeTag.java"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 94073, "scanner": "repobility-threat-engine", "fingerprint": "b0505916ccb2936cde5536f7d63722f3f92c9d7d9953b50193bffebffd70664f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0505916ccb2936cde5536f7d63722f3f92c9d7d9953b50193bffebffd70664f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/tiles/src/main/java/org/apache/struts/tiles/RedeployableActionServlet.java"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 94072, "scanner": "repobility-threat-engine", "fingerprint": "31b67cdc057888e0a08df4604cdf02f667b0f632be6c9524bd81c03240219c08", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|31b67cdc057888e0a08df4604cdf02f667b0f632be6c9524bd81c03240219c08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/tiles/src/main/java/org/apache/struts/tiles/DefinitionsUtil.java"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 94071, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 94070, "scanner": "repobility-threat-engine", "fingerprint": "f88551a0846e07150d88feb72e7adc747ec2ce14614d3553e2d637fa61f2b7ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f88551a0846e07150d88feb72e7adc747ec2ce14614d3553e2d637fa61f2b7ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/HardCodedSecretCheckSample.java"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 94069, "scanner": "repobility-threat-engine", "fingerprint": "ee29fc069f0b352e00f2807a919f14ebd058f926f10f70beddb29ed4270b29de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee29fc069f0b352e00f2807a919f14ebd058f926f10f70beddb29ed4270b29de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/CORSCheck.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 94068, "scanner": "repobility-threat-engine", "fingerprint": "6367ff55866870577466763ee36ab465126c9978748e7f01f7571c23e33d01e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6367ff55866870577466763ee36ab465126c9978748e7f01f7571c23e33d01e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/taglib/src/main/java/org/apache/struts/taglib/html/HtmlTag.java"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 94067, "scanner": "repobility-threat-engine", "fingerprint": "38940797db9a4ebd3facf8160ccaacf7d8d0df50516b6420787f039016894fd9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|38940797db9a4ebd3facf8160ccaacf7d8d0df50516b6420787f039016894fd9", "aggregated_count": 5}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "properties": {"repobilityId": 94063, "scanner": "repobility-threat-engine", "fingerprint": "627907eaffea66f024e4219e19a79ac27a6dc4100784b2eb06fc4901d3f3cc8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|627907eaffea66f024e4219e19a79ac27a6dc4100784b2eb06fc4901d3f3cc8c"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 94059, "scanner": "repobility-threat-engine", "fingerprint": "87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 94054, "scanner": "repobility-threat-engine", "fingerprint": "882d289e2432da9e5b0cc26cb8ac27ff3d43dcc49cc6eb33636581d4cd7f743d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|882d289e2432da9e5b0cc26cb8ac27ff3d43dcc49cc6eb33636581d4cd7f743d"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `java-frontend/src/test/files/classpath/bin/LambdaExpressions.class` committed in source repo: `java-frontend/src/test/files/classpath/bin/LambdaExpressions.class` is a .class binary (2,459 bytes) committed to a repo that otherwise has 4195 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 94193, "scanner": "repobility-supply-chain", "fingerprint": "7d9a62b72eab474d9f299db333af0a119466f78099bf6288837d94bcda55ac02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d9a62b72eab474d9f299db333af0a119466f78099bf6288837d94bcda55ac02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-frontend/src/test/files/classpath/bin/LambdaExpressions.class"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `java-frontend/src/test/files/other/project.jar` committed in source repo: `java-frontend/src/test/files/other/project.jar` is a .jar binary (2,505 bytes) committed to a repo that otherwise has 4195 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 94192, "scanner": "repobility-supply-chain", "fingerprint": "f3d2503c22b5911ac87a46046779ea93e11e67aefcf593d230b418f08f28a7f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3d2503c22b5911ac87a46046779ea93e11e67aefcf593d230b418f08f28a7f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-frontend/src/test/files/other/project.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `java-frontend/src/test/files/classpath_with_comma/hello,world.jar` committed in source repo: `java-frontend/src/test/files/classpath_with_comma/hello,world.jar` is a .jar binary (2,150 bytes) committed to a repo that otherwise has 4195 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 94191, "scanner": "repobility-supply-chain", "fingerprint": "1d4ec4fff54a5674f8b4cac2584c538d30af482090c5add2d00c7f709dff64dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d4ec4fff54a5674f8b4cac2584c538d30af482090c5add2d00c7f709dff64dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-frontend/src/test/files/classpath_with_comma/hello,world.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `java-frontend/src/test/resources/android.jar` committed in source repo: `java-frontend/src/test/resources/android.jar` is a .jar binary (50,137 bytes) committed to a repo that otherwise has 4195 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 94190, "scanner": "repobility-supply-chain", "fingerprint": "bcd3c63529c6481813112507f13ed7d6a9239e8a6c34911483fa4a4430a36ff0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bcd3c63529c6481813112507f13ed7d6a9239e8a6c34911483fa4a4430a36ff0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-frontend/src/test/resources/android.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/ci-github-actions/config-maven` pinned to mutable ref `@v1`: `uses: SonarSource/ci-github-actions/config-maven@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94189, "scanner": "repobility-supply-chain", "fingerprint": "82918780557906c6a5e4aac440b44a598331a0a7ac1720cd7a76198648c1d5f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82918780557906c6a5e4aac440b44a598331a0a7ac1720cd7a76198648c1d5f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/ci-github-actions/build-maven` pinned to mutable ref `@v1`: `uses: SonarSource/ci-github-actions/build-maven@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94188, "scanner": "repobility-supply-chain", "fingerprint": "698ac7344e790b5656955ec9258d22008dae8fd7c2bd478c307b49c78d7ed1cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|698ac7344e790b5656955ec9258d22008dae8fd7c2bd478c307b49c78d7ed1cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/gh-action_releasability/releasability-status` pinned to mutable ref `@v3`: `uses: SonarSource/gh-action_releasability/releasability-status@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94187, "scanner": "repobility-supply-chain", "fingerprint": "bff5f4a147a801a8e75a56d440ed45cb34ced2d5ea2eeb98f09644746b2e84d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bff5f4a147a801a8e75a56d440ed45cb34ced2d5ea2eeb98f09644746b2e84d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ReleasabilityCheck.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/gh-action_release/.github/workflows/main.yaml` pinned to mutable ref `@v6`: `uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94186, "scanner": "repobility-supply-chain", "fingerprint": "912e443774ab3bd2d9e4419c8e15361c8874c4ff1ac04e1c4c1e157ce269c836", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|912e443774ab3bd2d9e4419c8e15361c8874c4ff1ac04e1c4c1e157ce269c836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v9`: `uses: actions/stale@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94185, "scanner": "repobility-supply-chain", "fingerprint": "cb326bf26008ddb614387c0e8ea430700448b87e7a819edaf0a6a3e81a671a0e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb326bf26008ddb614387c0e8ea430700448b87e7a819edaf0a6a3e81a671a0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mark-prs-stale.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/gh-action_dogfood_merge` pinned to mutable ref `@v1`: `uses: SonarSource/gh-action_dogfood_merge@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94184, "scanner": "repobility-supply-chain", "fingerprint": "28e4103b29b7b98dba90dda08c112fc49bec5efc1bd62a70c2c2aa1c628fb88f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|28e4103b29b7b98dba90dda08c112fc49bec5efc1bd62a70c2c2aa1c628fb88f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dogfood.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/vault-action-wrapper` pinned to mutable ref `@v3`: `uses: SonarSource/vault-action-wrapper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94183, "scanner": "repobility-supply-chain", "fingerprint": "29218abcbe9c13b68cd7d215c949e906acfa1ca8c87e051b5fc9c1d38c1112d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29218abcbe9c13b68cd7d215c949e906acfa1ca8c87e051b5fc9c1d38c1112d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dogfood.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/gh-action_cache/cleanup` pinned to mutable ref `@v1`: `uses: SonarSource/gh-action_cache/cleanup@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94182, "scanner": "repobility-supply-chain", "fingerprint": "47a9541c1ac13e77f99e7303f31e9bbe81343f020f6a0844e28b2bfe19919522", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47a9541c1ac13e77f99e7303f31e9bbe81343f020f6a0844e28b2bfe19919522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cleanup-cache.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/release-github-actions/create-pull-request` pinned to mutable ref `@v1`: `uses: SonarSource/release-github-actions/create-pull-request@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94181, "scanner": "repobility-supply-chain", "fingerprint": "3b05e5fbf20dd8562381e08620b2d845fa63438f8edba9155e17f7c2c1442405", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b05e5fbf20dd8562381e08620b2d845fa63438f8edba9155e17f7c2c1442405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/PrepareNextIteration.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94180, "scanner": "repobility-supply-chain", "fingerprint": "b7cf2375055bfd423a350e78f33ce45cf598340840d17c390f5af8194b64d666", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b7cf2375055bfd423a350e78f33ce45cf598340840d17c390f5af8194b64d666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/PrepareNextIteration.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/unified-dogfooding-actions/run-iris` pinned to mutable ref `@v1`: `uses: SonarSource/unified-dogfooding-actions/run-iris@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94179, "scanner": "repobility-supply-chain", "fingerprint": "86c498c57d547a0060229e6f0552aff6a6d85b934656769fe98ad6eef6e05797", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86c498c57d547a0060229e6f0552aff6a6d85b934656769fe98ad6eef6e05797"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unified-dogfooding.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/ci-github-actions/build-maven` pinned to mutable ref `@v1`: `uses: SonarSource/ci-github-actions/build-maven@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94178, "scanner": "repobility-supply-chain", "fingerprint": "b2a3ddb28eeb30c250ffc18e02fc53d8659d8781da4b65303b2b7850d18c05b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2a3ddb28eeb30c250ffc18e02fc53d8659d8781da4b65303b2b7850d18c05b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unified-dogfooding.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sonarsource/gh-action-lt-backlog/ToggleLockBranch` pinned to mutable ref `@v2`: `uses: sonarsource/gh-action-lt-backlog/ToggleLockBranch@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94177, "scanner": "repobility-supply-chain", "fingerprint": "3b08dcac9d61f4e03e747ca89fb59c2226d8bbbd8259001b308b54897ca0c7ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b08dcac9d61f4e03e747ca89fb59c2226d8bbbd8259001b308b54897ca0c7ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ToggleLockBranch.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/vault-action-wrapper` pinned to mutable ref `@v3`: `uses: SonarSource/vault-action-wrapper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94176, "scanner": "repobility-supply-chain", "fingerprint": "8f94abdb00645e9e0e1e4a36b6fab01ead9c6b9d068210d259401528257252a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f94abdb00645e9e0e1e4a36b6fab01ead9c6b9d068210d259401528257252a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ToggleLockBranch.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sonarsource/gh-action-lt-backlog/SubmitReview` pinned to mutable ref `@v2`: `uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94175, "scanner": "repobility-supply-chain", "fingerprint": "ae9fda0c17135a1115d045e1b18ab5cd2bfdb6688313ab5add1ad0684cc1ae34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae9fda0c17135a1115d045e1b18ab5cd2bfdb6688313ab5add1ad0684cc1ae34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/SubmitReview.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/vault-action-wrapper` pinned to mutable ref `@v3`: `uses: SonarSource/vault-action-wrapper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94174, "scanner": "repobility-supply-chain", "fingerprint": "dbfbcf2fad875feaf486732898e340cb7b105c2131dc68275746d44b5cb121ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbfbcf2fad875feaf486732898e340cb7b105c2131dc68275746d44b5cb121ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/SubmitReview.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/gh-action_releasability` pinned to mutable ref `@v3`: `uses: SonarSource/gh-action_releasability@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94173, "scanner": "repobility-supply-chain", "fingerprint": "db8775aab5fc838fec1f9a9da52acc5dd1607c8e8a58f6281812caf46cf74b29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db8775aab5fc838fec1f9a9da52acc5dd1607c8e8a58f6281812caf46cf74b29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/releasability.yaml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/vault-action-wrapper` pinned to mutable ref `@v3`: `uses: SonarSource/vault-action-wrapper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94172, "scanner": "repobility-supply-chain", "fingerprint": "7c4a70819e27b48c48b6d8291effa7552532037ba31236df871aca6b9f87994d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c4a70819e27b48c48b6d8291effa7552532037ba31236df871aca6b9f87994d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/releasability.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sonarsource/gh-action-lt-backlog/PullRequestClosed` pinned to mutable ref `@v2`: `uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94171, "scanner": "repobility-supply-chain", "fingerprint": "4c474e235c1466764ca99d89392535bf01cd748d86d1f67b5871fd21b11d3143", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c474e235c1466764ca99d89392535bf01cd748d86d1f67b5871fd21b11d3143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/PullRequestClosed.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/vault-action-wrapper` pinned to mutable ref `@v3`: `uses: SonarSource/vault-action-wrapper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94170, "scanner": "repobility-supply-chain", "fingerprint": "777168bac03f56441a9e435a7f77b681b07eedc9a6e33a77e464a93a19db6980", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|777168bac03f56441a9e435a7f77b681b07eedc9a6e33a77e464a93a19db6980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/PullRequestClosed.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/ci-github-actions/pr_cleanup` pinned to mutable ref `@v1`: `uses: SonarSource/ci-github-actions/pr_cleanup@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94169, "scanner": "repobility-supply-chain", "fingerprint": "b276e883139c18fd0e4459ec6d475e427938f029bf4949e720c664dac5c0b909", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b276e883139c18fd0e4459ec6d475e427938f029bf4949e720c664dac5c0b909"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-cleanup.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/release-github-actions/.github/workflows/automated-release.yml` pinned to mutable ref `@v1`: `uses: SonarSource/release-github-actions/.github/workflows/automated-release.yml@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94168, "scanner": "repobility-supply-chain", "fingerprint": "0b792aacea91e3e9081058ecbc7d6fdc4283fbb91ac2182b830195441ab4cce3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b792aacea91e3e9081058ecbc7d6fdc4283fbb91ac2182b830195441ab4cce3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/automated-release.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/release-github-actions/update-rule-metadata` pinned to mutable ref `@v1`: `uses: SonarSource/release-github-actions/update-rule-metadata@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94167, "scanner": "repobility-supply-chain", "fingerprint": "1460d617d276764bd79ea8078deb24ae2bf644524410f56308b41407ab1436e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1460d617d276764bd79ea8078deb24ae2bf644524410f56308b41407ab1436e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/UpdateRuleMetadata.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sonarsource/gh-action-lt-backlog/PullRequestCreated` pinned to mutable ref `@v2`: `uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94166, "scanner": "repobility-supply-chain", "fingerprint": "20a57cc43e4e0e0eb606957654e6727600871811fe03961888e71f24da007706", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20a57cc43e4e0e0eb606957654e6727600871811fe03961888e71f24da007706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/PullRequestCreated.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `SonarSource/vault-action-wrapper` pinned to mutable ref `@v3`: `uses: SonarSource/vault-action-wrapper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 94165, "scanner": "repobility-supply-chain", "fingerprint": "bc97d130133ec82ca37adbb61e854f396513b29270a44506f3842b6b3e0168b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc97d130133ec82ca37adbb61e854f396513b29270a44506f3842b6b3e0168b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/PullRequestCreated.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 94164, "scanner": "repobility-journey-contract", "fingerprint": "dab23f97dacc4751c74386e93dedcfcd54c783b896f542527529eaed3c4d3194", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|8|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2612.html"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}."}, "properties": {"repobilityId": 94153, "scanner": "repobility-access-control", "fingerprint": "b8152ac39a4413f9a04f34ce4eec1bbdff70ccddbe61a3a03a260a10c796b626", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{id}", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|16|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/OptionalAsParameterCheckSample.java"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC106", "level": "error", "message": {"text": "[SEC106] Block cipher in ECB mode (AES/DES/Blowfish): ECB mode leaks block-level structure \u2014 identical plaintext blocks encrypt to identical ciphertext (the famous Tux image). Bare `Cipher.getInstance(\"AES\")` defaults to ECB on most JVMs."}, "properties": {"repobilityId": 94110, "scanner": "repobility-threat-engine", "fingerprint": "d863d575374e43ed61f7a97ab262bdd602d2d02caf3d776fca2683cde41ddb22", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Cipher.getInstance(\"AES/ECB", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC106", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|32|sec106"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/EncryptionAlgorithmCheckSample.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC106", "level": "error", "message": {"text": "[SEC106] Block cipher in ECB mode (AES/DES/Blowfish): ECB mode leaks block-level structure \u2014 identical plaintext blocks encrypt to identical ciphertext (the famous Tux image). Bare `Cipher.getInstance(\"AES\")` defaults to ECB on most JVMs."}, "properties": {"repobilityId": 94109, "scanner": "repobility-threat-engine", "fingerprint": "9da1af637ae4c7051e7c8370a2eae18343d4732dbf09e2cb356e93858e7ee965", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Cipher.getInstance(\"DESede/ECB", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC106", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|19|sec106"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/StrongCipherAlgorithmCheckSample.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC102", "level": "error", "message": {"text": "[SEC102] Jackson default typing / polymorphic deserialization enabled: Jackson with default typing enabled allows attacker-supplied JSON to instantiate arbitrary classes. Pattern behind many SpringBoot RCEs."}, "properties": {"repobilityId": 94106, "scanner": "repobility-threat-engine", "fingerprint": "b8cacf4a0dee208c653eed3cf01fea39667b39f4e7cb3763bd294760ed1c8ad1", "category": "deserialization", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".enableDefaultTyping(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC102", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|13|sec102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/JacksonDeserializationCheckSample.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 94099, "scanner": "repobility-threat-engine", "fingerprint": "12755d5eebb7aee43f5acc7a1b4bd67db10efe33ceb1b628744ea316f51f29ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12755d5eebb7aee43f5acc7a1b4bd67db10efe33ceb1b628744ea316f51f29ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/CORSCheck.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 94087, "scanner": "repobility-threat-engine", "fingerprint": "275d632d4e5f880304b9e2a8c9013bf792afbd0f4ce5d19c06a2bfb0dcd34cf7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(new", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|275d632d4e5f880304b9e2a8c9013bf792afbd0f4ce5d19c06a2bfb0dcd34cf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/FilePermissionsCheckSample.java"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 94086, "scanner": "repobility-threat-engine", "fingerprint": "2d5fc94d65e5f5295fa0de1b91196f16619eaebf7e25072cbeac2ae84cc853a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(UNINITIALIZED_COMMAND", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2d5fc94d65e5f5295fa0de1b91196f16619eaebf7e25072cbeac2ae84cc853a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/files/non-compiling/checks/OSCommandsPath.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 94066, "scanner": "repobility-threat-engine", "fingerprint": "6ffafdb85056b0e0f1ca01e71760f1dfc14f782adfaa39eed240256c61dd2501", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ffafdb85056b0e0f1ca01e71760f1dfc14f782adfaa39eed240256c61dd2501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/DataHashingCheckSample.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 94065, "scanner": "repobility-threat-engine", "fingerprint": "5a8acd05bd6b221f0f8592fe2fa0061ec7a6aebfadc5e81e4052bb7dc4ab97de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a8acd05bd6b221f0f8592fe2fa0061ec7a6aebfadc5e81e4052bb7dc4ab97de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/StrongCipherAlgorithmCheckSample.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 94064, "scanner": "repobility-threat-engine", "fingerprint": "8effa002b9a320c8af8bc5a51177a66b22fdccb0b33059e5d36d72b2939e32cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8effa002b9a320c8af8bc5a51177a66b22fdccb0b33059e5d36d72b2939e32cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/util/TokenProcessor.java"}, "region": {"startLine": 205}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 94062, "scanner": "repobility-threat-engine", "fingerprint": "d3e438b15287c62cd5c39031748a2dcadfe3ae837501fa5f31f345bf94823445", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "MethodMatchers.create()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d3e438b15287c62cd5c39031748a2dcadfe3ae837501fa5f31f345bf94823445"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-common/src/main/java/org/sonar/java/checks/helpers/HardcodedStringExpressionChecker.java"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 94061, "scanner": "repobility-threat-engine", "fingerprint": "da50056a6c11703a3b7cfe0bb0049ca4672327f7eb3defce54da4e11a8c8b078", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "MethodMatchers.create()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da50056a6c11703a3b7cfe0bb0049ca4672327f7eb3defce54da4e11a8c8b078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-aws/src/main/java/org/sonar/java/checks/aws/AbstractAwsMethodVisitor.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 94060, "scanner": "repobility-threat-engine", "fingerprint": "e203fd13b8bfae78a73a47248a131e17482b27b3a147619e931d292e87240000", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "md.update(now);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e203fd13b8bfae78a73a47248a131e17482b27b3a147619e931d292e87240000"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/util/TokenProcessor.java"}, "region": {"startLine": 208}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 94058, "scanner": "repobility-threat-engine", "fingerprint": "2c233b6ec77bc098d3a4bba97d0e95ee2ca54ff1dc51faa74ae6f6d3bd9350c0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c233b6ec77bc098d3a4bba97d0e95ee2ca54ff1dc51faa74ae6f6d3bd9350c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/chain/commands/servlet/PerformInclude.java"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 94057, "scanner": "repobility-threat-engine", "fingerprint": "62f9d95029c5f37c8408944792f9ae51564e724392b03f9168ed72df3a196278", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62f9d95029c5f37c8408944792f9ae51564e724392b03f9168ed72df3a196278"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/chain/commands/servlet/PerformForward.java"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 94056, "scanner": "repobility-threat-engine", "fingerprint": "20a80490f98d32a23e1f9ba83239f896d0b8f670cc99bbed02a69340cfc95b2e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20a80490f98d32a23e1f9ba83239f896d0b8f670cc99bbed02a69340cfc95b2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/action/ActionRedirect.java"}, "region": {"startLine": 166}}}]}, {"ruleId": "SEC030", "level": "error", "message": {"text": "[SEC030] Open Redirect \u2014 user-controlled redirect target: Redirect target is taken directly from user input without validating that the destination is local to the site. Attackers craft phishing URLs that appear to come from your domain but land on attacker-controlled pages \u2014 common in OAuth callback flows, post-login redirects, and `next=` parameters. CWE-601."}, "properties": {"repobilityId": 94055, "scanner": "repobility-threat-engine", "fingerprint": "f6bd0c1de11c30c7c9251fa7ba0b2cdf7cbe440c68271683724d82dabe015ea2", "category": "open_redirect", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Redirect(redirect)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC030", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f6bd0c1de11c30c7c9251fa7ba0b2cdf7cbe440c68271683724d82dabe015ea2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "its/plugin/projects/struts-1.3.9-lite/core/src/main/java/org/apache/struts/action/ActionForward.java"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 94121, "scanner": "repobility-threat-engine", "fingerprint": "d9fffd912fa75619f9c7517ce3898a373d80f83c6159de6fcda333feccea2bda", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9fffd912fa75619f9c7517ce3898a373d80f83c6159de6fcda333feccea2bda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/spring-3.2/src/main/java/checks/SQLInjectionCheckSample.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 94120, "scanner": "repobility-threat-engine", "fingerprint": "aa72e457078c42be5bf42b159c1227af35663ef4fed277a0d2eb42eda15cca8a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa72e457078c42be5bf42b159c1227af35663ef4fed277a0d2eb42eda15cca8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/spring-3.2/src/main/java/checks/SQLInjectionCheckSample.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 94119, "scanner": "repobility-threat-engine", "fingerprint": "93a87b526b417bc9a2c73b9859d401e16e33a25904d610224e0547ff7b7fd006", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mysql://sandy:secret@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|6|mysql://sandy:secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/EmptyDatabasePasswordCheckSample.java"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 94117, "scanner": "repobility-threat-engine", "fingerprint": "855eae878dd5ff85ebf9bd578394d0dbdf30cdf10b8ae95e358f280f0f162230", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.3 bits) \u2014 likely real secret", "evidence": {"match": "password=\"<redacted>; // Noncompliant\n    DriverManager.getConnection(\"", "reason": "High entropy value (4.3 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|4|password redacted // noncompliant drivermanager.getconnection"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/EmptyDatabasePasswordCheckSample.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 94105, "scanner": "repobility-threat-engine", "fingerprint": "ac4dd985d2b781f3d5ca27795d063e50c95fc48ac0fb5204a8d7641f777abd5f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ac4dd985d2b781f3d5ca27795d063e50c95fc48ac0fb5204a8d7641f777abd5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/security/EmptyDatabasePasswordCheckSample.java"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 94104, "scanner": "repobility-threat-engine", "fingerprint": "638032f77dd67e3f6040ec2cae18f33dbbd8dcd88d3ffe0dcfc3e4d9e52a640c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|638032f77dd67e3f6040ec2cae18f33dbbd8dcd88d3ffe0dcfc3e4d9e52a640c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/HardCodedSecretCheckSample.java"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC051", "level": "error", "message": {"text": "[SEC051] Stripe live/test key: Stripe API key (live or test). Live keys can charge real cards. Ported from gitleaks stripe-access-token (MIT)."}, "properties": {"repobilityId": 94103, "scanner": "repobility-threat-engine", "fingerprint": "8d22fed1e4950923d4f16d4282011da8da174df41c5c9fba862d690db816cb42", "category": "secret", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sk_live_xf2fh0Hu3LqXlqqUg2DEWhEz", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC051", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|10|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-checks-test-sources/default/src/main/java/checks/HardCodedSecretCheckSample.java"}, "region": {"startLine": 103}}}]}]}]}