{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/310"}, "properties": {"repository": "google/adk-java", "repoUrl": "https://github.com/google/adk-java", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 9847, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9844, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e618e03925485ef9a116420a071b51055198aedabcad73b79cc54f87f9c51542", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dev/src/main/java/com/google/adk/web/controller/GraphController.java", "duplicate_line": 35, "correlation_key": "fp|e618e03925485ef9a116420a071b51055198aedabcad73b79cc54f87f9c51542"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/src/main/java/com/google/adk/web/controller/SessionController.java"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9843, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ec0051182006a0e3e54e71fa96207281dbf500f93268e50bb4111462e8edf7c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/com/google/adk/tools/applicationintegrationtoolset/IntegrationClient.java", "duplicate_line": 301, "correlation_key": "fp|3ec0051182006a0e3e54e71fa96207281dbf500f93268e50bb4111462e8edf7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/com/google/adk/tools/applicationintegrationtoolset/IntegrationConnectorTool.java"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9842, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4fd2e0e724e10e7106fb0b23ef3bf358d2d8df8497a36013e496b205da9f3bad", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/com/google/adk/tools/GoogleSearchTool.java", "duplicate_line": 15, "correlation_key": "fp|4fd2e0e724e10e7106fb0b23ef3bf358d2d8df8497a36013e496b205da9f3bad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/com/google/adk/tools/UrlContextTool.java"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9841, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b96ca1283293933580111427dd1d51b0ff2357d83b1fedd99f45f6c5483af755", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/com/google/adk/tools/GoogleMapsTool.java", "duplicate_line": 13, "correlation_key": "fp|b96ca1283293933580111427dd1d51b0ff2357d83b1fedd99f45f6c5483af755"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/com/google/adk/tools/UrlContextTool.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9840, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48ed20ca5f95f964cab82caa37dcf049d2840210a5f8f81829773b689f49ad74", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/com/google/adk/tools/GoogleMapsTool.java", "duplicate_line": 13, "correlation_key": "fp|48ed20ca5f95f964cab82caa37dcf049d2840210a5f8f81829773b689f49ad74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/com/google/adk/tools/GoogleSearchTool.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9839, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7f523425590f0788650c8db27b6ca5f4616f6a95bfcc0fc5d57684912270d0f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contrib/firestore-session-service/src/main/java/com/google/adk/sessions/FirestoreSessionService.java", "duplicate_line": 62, "correlation_key": "fp|f7f523425590f0788650c8db27b6ca5f4616f6a95bfcc0fc5d57684912270d0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/com/google/adk/sessions/VertexAiSessionService.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9838, "scanner": "repobility-ai-code-hygiene", "fingerprint": "138709b9d90ae2f2e56c3963e6269c654fb7d47dc323842c25c9d8d4a472ac51", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contrib/firestore-session-service/src/main/java/com/google/adk/sessions/FirestoreSessionService.java", "duplicate_line": 62, "correlation_key": "fp|138709b9d90ae2f2e56c3963e6269c654fb7d47dc323842c25c9d8d4a472ac51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/com/google/adk/sessions/InMemorySessionService.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9837, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae90238d2a88a9c7a1de27abb0bb3c33cdaa94983ef5f1027a9e0f4d96a3ac8f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "a2a/src/main/java/com/google/adk/a2a/executor/AgentExecutor.java", "duplicate_line": 100, "correlation_key": "fp|ae90238d2a88a9c7a1de27abb0bb3c33cdaa94983ef5f1027a9e0f4d96a3ac8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/com/google/adk/runner/Runner.java"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9836, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5704688a0a34f491d917036aac3e10d5c40e1b0a7b995ce12a633fefb4a21f14", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/com/google/adk/codeexecutors/VertexAiCodeExecutor.java", "duplicate_line": 44, "correlation_key": "fp|5704688a0a34f491d917036aac3e10d5c40e1b0a7b995ce12a633fefb4a21f14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/com/google/adk/flows/llmflows/CodeExecution.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 9845, "scanner": "repobility-threat-engine", "fingerprint": "b2ae9535e199df5ed0271e6adbd482a298dc1b50df940d300a23230a2d3d434b", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML=l", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|1|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/browser/chunk-TXJFAAIW.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 9846, "scanner": "repobility-threat-engine", "fingerprint": "ae34b7c1df1998e14992155dfb959413e908ce49c6e532e4694cff316c938607", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(this.colour)}}},{key:\"closeHandler\",value:function(e){var t=e&&e.type,r=!1;if(!e)r=!0;else if(t", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|2|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/browser/chunk-TXJFAAIW.js"}, "region": {"startLine": 2}}}]}]}]}