{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR003", "name": "Compose service `qdrant` image uses the latest tag", "shortDescription": {"text": "Compose service `qdrant` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "When dependency installation comes after COPY ., any source change invalidates the dependency layer and makes Docker rebuild much more slowly."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `validate_board` has cognitive complexity 17 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `validate_board` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 17."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 656 lines (recommend <300)", "shortDescription": {"text": "Average file size is 656 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.", "shortDescription": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0320", "name": "yaml-rust: RUSTSEC-2024-0320", "shortDescription": {"text": "yaml-rust: RUSTSEC-2024-0320"}, "fullDescription": {"text": "yaml-rust is unmaintained."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2021-0046", "name": "telemetry: RUSTSEC-2021-0046", "shortDescription": {"text": "telemetry: RUSTSEC-2021-0046"}, "fullDescription": {"text": "misc::vec_with_size() can drop uninitialized memory if clone panics"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0134", "name": "rustls-pemfile: RUSTSEC-2025-0134", "shortDescription": {"text": "rustls-pemfile: RUSTSEC-2025-0134"}, "fullDescription": {"text": "rustls-pemfile is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0097", "name": "rand: RUSTSEC-2026-0097", "shortDescription": {"text": "rand: RUSTSEC-2026-0097"}, "fullDescription": {"text": "Rand is unsound with a custom logger using `rand::rng()`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0141", "name": "bincode: RUSTSEC-2025-0141", "shortDescription": {"text": "bincode: RUSTSEC-2025-0141"}, "fullDescription": {"text": "Bincode is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `debian:bookworm-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `debian:bookworm-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.assertIn` used but never assigned in __init__", "shortDescription": {"text": "`self.assertIn` used but never assigned in __init__"}, "fullDescription": {"text": "Method `test_parity_audit_runs` of class `PortingWorkspaceTests` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/717"}, "properties": {"repository": "ultraworkers/claw-code", "repoUrl": "https://github.com/ultraworkers/claw-code", "branch": "main"}, "results": [{"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `qdrant` image uses the latest tag"}, "properties": {"repobilityId": 58063, "scanner": "repobility-docker", "fingerprint": "fc0a6847d6550bf2d1207185a4d05de5c3e7714cc53f00adfea020375826538c", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "qdrant/qdrant:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fc0a6847d6550bf2d1207185a4d05de5c3e7714cc53f00adfea020375826538c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 58061, "scanner": "repobility-docker", "fingerprint": "474c360bb33a072a6fc142983d3269387dd2713c94dbd1a6a2981f24a2746adc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|474c360bb33a072a6fc142983d3269387dd2713c94dbd1a6a2981f24a2746adc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/claw-rag-service/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 58060, "scanner": "repobility-docker", "fingerprint": "33dc6a271905e68a6e5535658180e6417d6aba3e943afd0d401e03023a0fb5c6", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 6 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 6, "correlation_key": "fp|33dc6a271905e68a6e5535658180e6417d6aba3e943afd0d401e03023a0fb5c6", "dependency_install_line": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/claw-rag-service/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 58059, "scanner": "repobility-docker", "fingerprint": "46e819ff86579b093e9d23e8e27cf3ee8751941815a3e8e15d88bb7b0408c90b", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|46e819ff86579b093e9d23e8e27cf3ee8751941815a3e8e15d88bb7b0408c90b", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/claw-rag-service/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `validate_board` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=8, nested_bonus=7."}, "properties": {"repobilityId": 58038, "scanner": "repobility-threat-engine", "fingerprint": "88cc82fc247c9cab39a47f7d8c049c96e144e9f576040c7109e9d15257d72dab", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 17 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "validate_board", "breakdown": {"if": 8, "for": 2, "nested_bonus": 7}, "complexity": 17, "correlation_key": "fp|88cc82fc247c9cab39a47f7d8c049c96e144e9f576040c7109e9d15257d72dab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".omx/cc2/render_board_md.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `validate_command_examples` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, for=3, if=3, nested_bonus=11."}, "properties": {"repobilityId": 58037, "scanner": "repobility-threat-engine", "fingerprint": "10f8433a1c486cc61b0c22618624293f52646225ec388280a0144718d3774d7d", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "validate_command_examples", "breakdown": {"if": 3, "for": 3, "continue": 2, "nested_bonus": 11}, "complexity": 19, "correlation_key": "fp|10f8433a1c486cc61b0c22618624293f52646225ec388280a0144718d3774d7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check_release_readiness.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 58035, "scanner": "repobility-agent-runtime", "fingerprint": "331d8b7f04ba4cd3c21cca41f0c736e254af6b30781da6e1e342994b36a0b0bb", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|331d8b7f04ba4cd3c21cca41f0c736e254af6b30781da6e1e342994b36a0b0bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/README.md"}, "region": {"startLine": 128}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 58034, "scanner": "repobility-agent-runtime", "fingerprint": "47d23c5b80e0e7501e8f7226cc8cc1ceda60ac533fb64c192db36f6964fe4eb8", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|47d23c5b80e0e7501e8f7226cc8cc1ceda60ac533fb64c192db36f6964fe4eb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/.claude/sessions/session-1775009841982.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 58002, "scanner": "repobility-ast-engine", "fingerprint": "676758d0b20ea7fa43971167e0844f02aff8a749be449005554e3d611a59f37b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|676758d0b20ea7fa43971167e0844f02aff8a749be449005554e3d611a59f37b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate_cc2_board.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 656 lines (recommend <300)"}, "properties": {"repobilityId": 57985, "scanner": "repobility-core", "fingerprint": "1711a679e23d1b4a788de08bf15cfbb21bc71d33cf89a851bf79d71dc244cacd", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|1711a679e23d1b4a788de08bf15cfbb21bc71d33cf89a851bf79d71dc244cacd"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58069, "scanner": "repobility-docker", "fingerprint": "5483b866bcf9f0a273143f475cc7a84cc50800b863f8c048d338f9e9fdeb10a8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "rag-ingest", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5483b866bcf9f0a273143f475cc7a84cc50800b863f8c048d338f9e9fdeb10a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58068, "scanner": "repobility-docker", "fingerprint": "ccf66dc0b619e5591381388f36d9b4c28fdcd1a27e53c1bbd0e96db0aaa79373", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "rag-ingest", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ccf66dc0b619e5591381388f36d9b4c28fdcd1a27e53c1bbd0e96db0aaa79373"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58067, "scanner": "repobility-docker", "fingerprint": "ec6d43703dcbc361691a5a809241d74dff2482a199145928e11c2b6b8f846967", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "rag-serve", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ec6d43703dcbc361691a5a809241d74dff2482a199145928e11c2b6b8f846967"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58066, "scanner": "repobility-docker", "fingerprint": "b80673a6b3d4024b9e31fcbefce5ab8f802e1b1d2c848081fb3285a02dccd836", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "rag-serve", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b80673a6b3d4024b9e31fcbefce5ab8f802e1b1d2c848081fb3285a02dccd836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58065, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "qdrant", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58064, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "qdrant", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 58062, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 58058, "scanner": "repobility-threat-engine", "fingerprint": "d5216ca9830b019dd99cb62e8ec22b61016d29f7bba4e849f67941e163e6eba4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d5216ca9830b019dd99cb62e8ec22b61016d29f7bba4e849f67941e163e6eba4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/path_scope.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 58057, "scanner": "repobility-threat-engine", "fingerprint": "8ca5c7b9a05f669421712475253ea898decbb8da58c1d800c72c6f7823957c70", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8ca5c7b9a05f669421712475253ea898decbb8da58c1d800c72c6f7823957c70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/runtime/src/mcp_client.rs"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 58056, "scanner": "repobility-threat-engine", "fingerprint": "bb56396bf646e37bf72636ef6f132cb83bee4b6a795042793422db9802282bf6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb56396bf646e37bf72636ef6f132cb83bee4b6a795042793422db9802282bf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/runtime/src/git_context.rs"}, "region": {"startLine": 320}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 58055, "scanner": "repobility-threat-engine", "fingerprint": "74458f18193f56c84cb2a316bed87d27e4a0817370a0ac53d968e1f473a77386", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|74458f18193f56c84cb2a316bed87d27e4a0817370a0ac53d968e1f473a77386"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/api/src/client.rs"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 58054, "scanner": "repobility-threat-engine", "fingerprint": "18ccfc41915666bc72ad176b9d73fe2f39691ff86389eedc4ded1197153411a9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|18ccfc41915666bc72ad176b9d73fe2f39691ff86389eedc4ded1197153411a9", "aggregated_count": 5}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 58053, "scanner": "repobility-threat-engine", "fingerprint": "a92c2cdf09ae962a574a1defb4ccf9c142db9ec99d7773669075304558e9c6f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a92c2cdf09ae962a574a1defb4ccf9c142db9ec99d7773669075304558e9c6f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/compat-harness/src/lib.rs"}, "region": {"startLine": 324}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 58052, "scanner": "repobility-threat-engine", "fingerprint": "58d0c4c3eb19814f92c6fdd50bc2cf61c33b7a33a17cea09f4acab8fb43a2927", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58d0c4c3eb19814f92c6fdd50bc2cf61c33b7a33a17cea09f4acab8fb43a2927"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/api/src/sse.rs"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 58051, "scanner": "repobility-threat-engine", "fingerprint": "c3b72b424efc8efef5a129d1bedc59257af00edbdf25f152bb6173764b65b571", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3b72b424efc8efef5a129d1bedc59257af00edbdf25f152bb6173764b65b571"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/api/src/client.rs"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 58050, "scanner": "repobility-threat-engine", "fingerprint": "6bc1af309547d1f2aa66ac591c7a7df3e14fcaf480c3e73ec2ca62a539556e15", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6bc1af309547d1f2aa66ac591c7a7df3e14fcaf480c3e73ec2ca62a539556e15", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 58042, "scanner": "repobility-threat-engine", "fingerprint": "db4c529b5603850a4819cad0f747ba16ac6540dff8fe32681488e5ca6b57b16d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|db4c529b5603850a4819cad0f747ba16ac6540dff8fe32681488e5ca6b57b16d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/claw-rag-service/src/main.rs"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 58041, "scanner": "repobility-threat-engine", "fingerprint": "97abe33429e68a0efab41ed7ef305a80b1e90a5e0a43c5354250ae319d3eb866", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|97abe33429e68a0efab41ed7ef305a80b1e90a5e0a43c5354250ae319d3eb866"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 58039, "scanner": "repobility-threat-engine", "fingerprint": "d77c5009f48b7037f4b39dca2da19e88620f9ee944ab4de5a78fef76b97d4995", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "validate_markdown_links", "breakdown": {"if": 5, "for": 2, "else": 1, "except": 1, "continue": 3, "nested_bonus": 14}, "aggregated": true, "complexity": 26, "correlation_key": "fp|d77c5009f48b7037f4b39dca2da19e88620f9ee944ab4de5a78fef76b97d4995", "aggregated_count": 8}}}, {"ruleId": "RUSTSEC-2024-0320", "level": "error", "message": {"text": "yaml-rust: RUSTSEC-2024-0320"}, "properties": {"repobilityId": 58078, "scanner": "osv-scanner", "fingerprint": "43ab752837b5bd110b4606505173e5772bff004d374471263e4ae6fe707428ef", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "yaml-rust", "rule_id": "RUSTSEC-2024-0320", "scanner": "osv-scanner", "correlation_key": "fp|43ab752837b5bd110b4606505173e5772bff004d374471263e4ae6fe707428ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2021-0046", "level": "error", "message": {"text": "telemetry: RUSTSEC-2021-0046"}, "properties": {"repobilityId": 58077, "scanner": "osv-scanner", "fingerprint": "5086834c49fd96980e52c3ef95761af6902ce415583c684c8ca00f5717ccc1b0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2021-29937", "GHSA-hpcx-3pw8-g3j2"], "package": "telemetry", "rule_id": "RUSTSEC-2021-0046", "scanner": "osv-scanner", "correlation_key": "vuln|telemetry|CVE-2021-29937|rust/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0134", "level": "error", "message": {"text": "rustls-pemfile: RUSTSEC-2025-0134"}, "properties": {"repobilityId": 58076, "scanner": "osv-scanner", "fingerprint": "4b804ae33c1b2d7e5abce19b8cb4b61d4ec63eeeba9c451d67806e1f5bfcf3c1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "rustls-pemfile", "rule_id": "RUSTSEC-2025-0134", "scanner": "osv-scanner", "correlation_key": "fp|4b804ae33c1b2d7e5abce19b8cb4b61d4ec63eeeba9c451d67806e1f5bfcf3c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0097", "level": "error", "message": {"text": "rand: RUSTSEC-2026-0097"}, "properties": {"repobilityId": 58075, "scanner": "osv-scanner", "fingerprint": "5d9dd0ec2b75fa5570af835c4043287bd42905fa5deb9df1f702d78a1fc8776e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-cq8v-f236-94qc"], "package": "rand", "rule_id": "RUSTSEC-2026-0097", "scanner": "osv-scanner", "correlation_key": "vuln|rand|GHSA-CQ8V-F236-94QC|rust/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cq8v-f236-94qc", "RUSTSEC-2026-0097"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5d9dd0ec2b75fa5570af835c4043287bd42905fa5deb9df1f702d78a1fc8776e", "ee3783b31edb627fc020a6e985ffe9075b37770dacadd60cf2a98d29d11b9dd9"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0141", "level": "error", "message": {"text": "bincode: RUSTSEC-2025-0141"}, "properties": {"repobilityId": 58074, "scanner": "osv-scanner", "fingerprint": "51655e7a5b85daa8543641939fbfa7a42e9a920dd1bb9855efba8bcc839fdbd8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "bincode", "rule_id": "RUSTSEC-2025-0141", "scanner": "osv-scanner", "correlation_key": "fp|51655e7a5b85daa8543641939fbfa7a42e9a920dd1bb9855efba8bcc839fdbd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 58049, "scanner": "repobility-threat-engine", "fingerprint": "23136a0678a9ae10a01bf8c8d8be2183f1832b1cf3b4a55905afc8ba5d627d0d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23136a0678a9ae10a01bf8c8d8be2183f1832b1cf3b4a55905afc8ba5d627d0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/claw-analog/src/config_cmd.rs"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 58048, "scanner": "repobility-threat-engine", "fingerprint": "21f67d90fd5191b8cc26ef6009b14c87035bd41ed5f4579f3e627d9aa2b3e859", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21f67d90fd5191b8cc26ef6009b14c87035bd41ed5f4579f3e627d9aa2b3e859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/api/src/types.rs"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 58047, "scanner": "repobility-threat-engine", "fingerprint": "b3c7a940a4bdc3ff4d26825dd4222613b6d185e3eaefeb2b4f844708bfb459dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b3c7a940a4bdc3ff4d26825dd4222613b6d185e3eaefeb2b4f844708bfb459dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/api/src/client.rs"}, "region": {"startLine": 236}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58046, "scanner": "repobility-threat-engine", "fingerprint": "b75e8925ca301212739f5f4bda1d010fd1226d10a67cfeff99f42ae149ba05cc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(\n    k", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b75e8925ca301212739f5f4bda1d010fd1226d10a67cfeff99f42ae149ba05cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/rusty-claude-cli/src/setup_wizard.rs"}, "region": {"startLine": 153}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58045, "scanner": "repobility-threat-engine", "fingerprint": "cee8b138426ae0f8afc1f13c511326d22f17922a8c803666872e9ce5609492fb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cee8b138426ae0f8afc1f13c511326d22f17922a8c803666872e9ce5609492fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/runtime/src/mcp.rs"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58044, "scanner": "repobility-threat-engine", "fingerprint": "447a04eae864464f4b13d8a18e1207a8cf1983e8fd5748fbcf7493d1cb006983", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(O", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|447a04eae864464f4b13d8a18e1207a8cf1983e8fd5748fbcf7493d1cb006983"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/api/src/client.rs"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 58043, "scanner": "repobility-threat-engine", "fingerprint": "4561231756475f68f85d827c0aa627a2cdac13ae8fe97ee647bbc131b35e6110", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4561231756475f68f85d827c0aa627a2cdac13ae8fe97ee647bbc131b35e6110"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.sh"}, "region": {"startLine": 139}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `validate_markdown_links` has cognitive complexity 26 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=3, else=1, except=1, for=2, if=5, nested_bonus=14."}, "properties": {"repobilityId": 58036, "scanner": "repobility-threat-engine", "fingerprint": "62558dece0fe383b90b1c51b58ef96f1ec3f37bc033f51bccf02e7cd153a2593", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 26 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "validate_markdown_links", "breakdown": {"if": 5, "for": 2, "else": 1, "except": 1, "continue": 3, "nested_bonus": 14}, "complexity": 26, "correlation_key": "fp|62558dece0fe383b90b1c51b58ef96f1ec3f37bc033f51bccf02e7cd153a2593"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check_release_readiness.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 58033, "scanner": "repobility-supply-chain", "fingerprint": "3f94cf313b3fb86202575bf321d62a9e1804a91688493f4d379cf43ce45c19b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f94cf313b3fb86202575bf321d62a9e1804a91688493f4d379cf43ce45c19b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 58032, "scanner": "repobility-supply-chain", "fingerprint": "9da8ea8eb3efafab2394f428ed2e5271c0d588b119236c28683683a5eaab9b40", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9da8ea8eb3efafab2394f428ed2e5271c0d588b119236c28683683a5eaab9b40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 58031, "scanner": "repobility-supply-chain", "fingerprint": "60963d9ccd2a1f6926f9c6db824861aa2361bebd81f0e695591ab508ceb6af49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|60963d9ccd2a1f6926f9c6db824861aa2361bebd81f0e695591ab508ceb6af49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 58030, "scanner": "repobility-supply-chain", "fingerprint": "248e3bb424582dc07f46ea429aa68f3c77b4aa35708a29d65d3768b3e92509d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|248e3bb424582dc07f46ea429aa68f3c77b4aa35708a29d65d3768b3e92509d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 58029, "scanner": "repobility-supply-chain", "fingerprint": "ceb365868f48a61cdc1970e592ab0ef96a6b378dfa46dee6e1892b07cea74e1b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ceb365868f48a61cdc1970e592ab0ef96a6b378dfa46dee6e1892b07cea74e1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 58028, "scanner": "repobility-supply-chain", "fingerprint": "6471edce35cfd91849399fb9b275d6cfac98c6e7b6525846f87fde0668a21561", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6471edce35cfd91849399fb9b275d6cfac98c6e7b6525846f87fde0668a21561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 58027, "scanner": "repobility-supply-chain", "fingerprint": "c45110d18d4daddc8d921ea8d0e54b3afbd3aeeff5a050da05deaa8e782d8d06", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c45110d18d4daddc8d921ea8d0e54b3afbd3aeeff5a050da05deaa8e782d8d06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 58026, "scanner": "repobility-supply-chain", "fingerprint": "68d0f934fef978d1ee7474a79b3a07b947007e4ba3c6fd994f386b365ac336f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68d0f934fef978d1ee7474a79b3a07b947007e4ba3c6fd994f386b365ac336f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 58025, "scanner": "repobility-supply-chain", "fingerprint": "3d3358bf63fb1d515dd63ee7dbcdb8d2fd69d71a024451f91368d1480c19de0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d3358bf63fb1d515dd63ee7dbcdb8d2fd69d71a024451f91368d1480c19de0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 58024, "scanner": "repobility-supply-chain", "fingerprint": "27762c6a24e918808a691d4aad79e745654547fdc28df5d4edbf6dd7067f4ee2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27762c6a24e918808a691d4aad79e745654547fdc28df5d4edbf6dd7067f4ee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 58023, "scanner": "repobility-supply-chain", "fingerprint": "9c886f90a866bf8f83e69309c37b5ec76162e5f10a3b9c2b0aa35cacb50fac97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c886f90a866bf8f83e69309c37b5ec76162e5f10a3b9c2b0aa35cacb50fac97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 58022, "scanner": "repobility-supply-chain", "fingerprint": "6c6837445a24b668d310a30fb7007e28a10161931a992cc039b45e5718daa19d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c6837445a24b668d310a30fb7007e28a10161931a992cc039b45e5718daa19d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 58021, "scanner": "repobility-supply-chain", "fingerprint": "8910f1f2dff59c4991ecb3747d44a067f72f99a0250fd97c3b02a36dfd4c72ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8910f1f2dff59c4991ecb3747d44a067f72f99a0250fd97c3b02a36dfd4c72ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 58020, "scanner": "repobility-supply-chain", "fingerprint": "436e4604db6ef6b41f99e05b80c7806e26cd991b9db1a53ce6bde9ebe66594ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|436e4604db6ef6b41f99e05b80c7806e26cd991b9db1a53ce6bde9ebe66594ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 58019, "scanner": "repobility-supply-chain", "fingerprint": "b4b68655bf049e360b5e90f0da7cb1c8bbc8f8115b4be43b0953d8e3d0fe025a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4b68655bf049e360b5e90f0da7cb1c8bbc8f8115b4be43b0953d8e3d0fe025a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 58018, "scanner": "repobility-supply-chain", "fingerprint": "fab1972a69a94ea4fe0a0aa78a8837de5c18a881f3a455498c99b7c4297ddc34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fab1972a69a94ea4fe0a0aa78a8837de5c18a881f3a455498c99b7c4297ddc34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 58017, "scanner": "repobility-supply-chain", "fingerprint": "80bbdf1754eab77e566d824a7195600adb1f16cad4eee2814054551de8116ab0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80bbdf1754eab77e566d824a7195600adb1f16cad4eee2814054551de8116ab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 58016, "scanner": "repobility-supply-chain", "fingerprint": "04ae8553cd7f934f85ecf391ef26e01c337fd67e3d3e4242a25bec381b3e92ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04ae8553cd7f934f85ecf391ef26e01c337fd67e3d3e4242a25bec381b3e92ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 58015, "scanner": "repobility-supply-chain", "fingerprint": "9f77c409bd99875aee80aa5729a71f2a2c42c4b9b50a49802ff2a0fa8cc84f2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f77c409bd99875aee80aa5729a71f2a2c42c4b9b50a49802ff2a0fa8cc84f2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 58014, "scanner": "repobility-supply-chain", "fingerprint": "e2ecbdb9ece089d11ae1ba580b28999e3fc237ee0db77471eabc3b65167ee2e6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2ecbdb9ece089d11ae1ba580b28999e3fc237ee0db77471eabc3b65167ee2e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `debian:bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 58013, "scanner": "repobility-supply-chain", "fingerprint": "b24e6f7de192cd9d1d19623b1421f3913c3cf6c3ca318907860e708c60aea45b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b24e6f7de192cd9d1d19623b1421f3913c3cf6c3ca318907860e708c60aea45b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/claw-rag-service/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `rust:1.91-bookworm` not pinned by digest"}, "properties": {"repobilityId": 58012, "scanner": "repobility-supply-chain", "fingerprint": "4e3d629b6328b05783dd194bf0ce855c2af2fad981f8d4025d0978fe1bb965f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e3d629b6328b05783dd194bf0ce855c2af2fad981f8d4025d0978fe1bb965f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/crates/claw-rag-service/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 58011, "scanner": "repobility-ast-engine", "fingerprint": "32c366c70121dfe69a21ac178919c2ad535eb8333f60505c446313063b06decb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32c366c70121dfe69a21ac178919c2ad535eb8333f60505c446313063b06decb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_porting_workspace.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 58010, "scanner": "repobility-ast-engine", "fingerprint": "5701e0164c94ad0cd780ba6c5df8252f7e9742b09d7bfdeb27d911240f8a3182", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5701e0164c94ad0cd780ba6c5df8252f7e9742b09d7bfdeb27d911240f8a3182"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_porting_workspace.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 58009, "scanner": "repobility-ast-engine", "fingerprint": "53bda60b9dad45fb56adfbe5bad9ad683b4aa36986dd85059e61713b06db674f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|53bda60b9dad45fb56adfbe5bad9ad683b4aa36986dd85059e61713b06db674f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_porting_workspace.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 58008, "scanner": "repobility-ast-engine", "fingerprint": "ac1d5cf3de0f54667526f2f44c50e43badccfa02ddfaacfbf1fc164e74217151", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ac1d5cf3de0f54667526f2f44c50e43badccfa02ddfaacfbf1fc164e74217151"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_porting_workspace.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 58007, "scanner": "repobility-ast-engine", "fingerprint": "4e18c191f6643708ccb2dfb61b888d122725c0973d852a88b809f9f5f5ca8b7c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e18c191f6643708ccb2dfb61b888d122725c0973d852a88b809f9f5f5ca8b7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_porting_workspace.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertTrue` used but never assigned in __init__"}, "properties": {"repobilityId": 58006, "scanner": "repobility-ast-engine", "fingerprint": "2c50d32136374bd9ec25f3f4e75f9b3ee6252ff095f85c2a302a57e6d3ac2460", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c50d32136374bd9ec25f3f4e75f9b3ee6252ff095f85c2a302a57e6d3ac2460"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_porting_workspace.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertGreaterEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 58005, "scanner": "repobility-ast-engine", "fingerprint": "7f5fb69dabcbcad87135551712bb51e5828f7492c3785d99212d71cbd7e98536", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7f5fb69dabcbcad87135551712bb51e5828f7492c3785d99212d71cbd7e98536"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_porting_workspace.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.stderr_text` used but never assigned in __init__"}, "properties": {"repobilityId": 58004, "scanner": "repobility-ast-engine", "fingerprint": "f4df3ae188b07797637815427ad6312763c0e811e641a80718766a9f71c2fbce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f4df3ae188b07797637815427ad6312763c0e811e641a80718766a9f71c2fbce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/dogfood-probe.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.stdout_text` used but never assigned in __init__"}, "properties": {"repobilityId": 58003, "scanner": "repobility-ast-engine", "fingerprint": "e117e77dda528e6288a4f5a4d7175f8cde125771fca35e4655a6f8a3d7044123", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e117e77dda528e6288a4f5a4d7175f8cde125771fca35e4655a6f8a3d7044123"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/dogfood-probe.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._score` used but never assigned in __init__"}, "properties": {"repobilityId": 58001, "scanner": "repobility-ast-engine", "fingerprint": "c219fc31280a7d7f65b97ac4875b05db81df516d81faa35a6e9b9098ba4749dc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c219fc31280a7d7f65b97ac4875b05db81df516d81faa35a6e9b9098ba4749dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runtime.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.route_prompt` used but never assigned in __init__"}, "properties": {"repobilityId": 58000, "scanner": "repobility-ast-engine", "fingerprint": "bfa5de52a277deb1cb7985f64919b4e076cc44cdf99432ed0ca892e101e8d416", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bfa5de52a277deb1cb7985f64919b4e076cc44cdf99432ed0ca892e101e8d416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runtime.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._infer_permission_denials` used but never assigned in __init__"}, "properties": {"repobilityId": 57999, "scanner": "repobility-ast-engine", "fingerprint": "40f6d4c578a870df4ab965f9274eed55bc16547bf9c79bde183812eb7fd7ef49", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|40f6d4c578a870df4ab965f9274eed55bc16547bf9c79bde183812eb7fd7ef49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runtime.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.route_prompt` used but never assigned in __init__"}, "properties": {"repobilityId": 57998, "scanner": "repobility-ast-engine", "fingerprint": "a2e3df7538e2773764ae70ba065824f7d4960d11e1f8c6cc3029f6171b7f7138", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2e3df7538e2773764ae70ba065824f7d4960d11e1f8c6cc3029f6171b7f7138"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runtime.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._collect_matches` used but never assigned in __init__"}, "properties": {"repobilityId": 57997, "scanner": "repobility-ast-engine", "fingerprint": "141471527c684cdfe4c74af53d421ce136ef0e22be813076f2a719a954010dc7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|141471527c684cdfe4c74af53d421ce136ef0e22be813076f2a719a954010dc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runtime.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._collect_matches` used but never assigned in __init__"}, "properties": {"repobilityId": 57996, "scanner": "repobility-ast-engine", "fingerprint": "12d8cac4a74e70d345ca7968850f20d22bc4b8536d752c1ddcaca05c4b5ec76d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|12d8cac4a74e70d345ca7968850f20d22bc4b8536d752c1ddcaca05c4b5ec76d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runtime.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._explicit_command_match` used but never assigned in __init__"}, "properties": {"repobilityId": 57995, "scanner": "repobility-ast-engine", "fingerprint": "15180d91c56c5b3afcb537bef67b7557a393e2d42414799025bb090fc48413e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|15180d91c56c5b3afcb537bef67b7557a393e2d42414799025bb090fc48413e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runtime.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._validate_windows_path` used but never assigned in __init__"}, "properties": {"repobilityId": 57994, "scanner": "repobility-ast-engine", "fingerprint": "3d2e12bec2459890393457984127b6ddb0c1f41cfd35d67dec49efa0eca4ea3e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d2e12bec2459890393457984127b6ddb0c1f41cfd35d67dec49efa0eca4ea3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/path_scope.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._expand_glob` used but never assigned in __init__"}, "properties": {"repobilityId": 57993, "scanner": "repobility-ast-engine", "fingerprint": "4e935506ce816224dc52f6ff0342e047ddf09bd7a7d1d07dd4bdb7d5589163e4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e935506ce816224dc52f6ff0342e047ddf09bd7a7d1d07dd4bdb7d5589163e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/path_scope.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.validate_path` used but never assigned in __init__"}, "properties": {"repobilityId": 57992, "scanner": "repobility-ast-engine", "fingerprint": "20367ebafdd9dad6cdab9420552489ec6cf29676153059a633c9ea8c84568034", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20367ebafdd9dad6cdab9420552489ec6cf29676153059a633c9ea8c84568034"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/path_scope.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.validate_path` used but never assigned in __init__"}, "properties": {"repobilityId": 57991, "scanner": "repobility-ast-engine", "fingerprint": "3b335eadefd5c4dda9460427630dfffc4e25262ad35a96182c145335f1b3af7b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b335eadefd5c4dda9460427630dfffc4e25262ad35a96182c145335f1b3af7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/path_scope.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._render_structured_output` used but never assigned in __init__"}, "properties": {"repobilityId": 57990, "scanner": "repobility-ast-engine", "fingerprint": "731dac39ea716946075e7e4a00da16ffe482b5ec75031d2034202733e09780c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|731dac39ea716946075e7e4a00da16ffe482b5ec75031d2034202733e09780c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/query_engine.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.flush_transcript` used but never assigned in __init__"}, "properties": {"repobilityId": 57989, "scanner": "repobility-ast-engine", "fingerprint": "07cc4afec955592ebc30da3cffe192b1b1b0bc723e1ff1c07b2a1f98cb33f42e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07cc4afec955592ebc30da3cffe192b1b1b0bc723e1ff1c07b2a1f98cb33f42e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/query_engine.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.submit_message` used but never assigned in __init__"}, "properties": {"repobilityId": 57988, "scanner": "repobility-ast-engine", "fingerprint": "5e0f017c88cec346d280d39f2600046349195790727e208dbd668b2f91dd839e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e0f017c88cec346d280d39f2600046349195790727e208dbd668b2f91dd839e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/query_engine.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.compact_messages_if_needed` used but never assigned in __init__"}, "properties": {"repobilityId": 57987, "scanner": "repobility-ast-engine", "fingerprint": "b2e71808c78f78e7f83ea2bb484b0cdcb41c556070da51f94139901c5a075197", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2e71808c78f78e7f83ea2bb484b0cdcb41c556070da51f94139901c5a075197"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/query_engine.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._format_output` used but never assigned in __init__"}, "properties": {"repobilityId": 57986, "scanner": "repobility-ast-engine", "fingerprint": "32d44fe25e886033d7b546c51c706088f2b5506f6fed4eaea8cf73fa9fdd17af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32d44fe25e886033d7b546c51c706088f2b5506f6fed4eaea8cf73fa9fdd17af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/query_engine.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 58073, "scanner": "gitleaks", "fingerprint": "b432901a0e3b1df40d227bbc911819995c21d670181fde74179bfd0cb79b6962", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "--api-key\",\"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|roadmap.md|181|--api-key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ROADMAP.md"}, "region": {"startLine": 1816}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 58072, "scanner": "gitleaks", "fingerprint": "d47736c2b30989589dd7c924c5355068f3d69b79ef92cb0069f8d70b6a1e8dab", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "--api-key\",\"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|roadmap.md|180|--api-key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ROADMAP.md"}, "region": {"startLine": 1810}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 58071, "scanner": "gitleaks", "fingerprint": "05541b75ba6b97fae93b4bd1abcb2a5b0f31a2b7f83ee3286a839b14b0cb5356", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "OPENAI_API_KEY = \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|usage.md|27|openai_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "USAGE.md"}, "region": {"startLine": 271}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 58070, "scanner": "gitleaks", "fingerprint": "6ef8c741c50a19ead944b30fb510d1874d03d039bc139359bb5a32e7573b869b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "OPENAI_API_KEY = \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|13|openai_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/windows-install-release.md"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 58040, "scanner": "repobility-threat-engine", "fingerprint": "19b6fd11a9d896ac127f700cc3ea92b3d2ad4f7ed8b303b944137d76367459f7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(condition", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|19b6fd11a9d896ac127f700cc3ea92b3d2ad4f7ed8b303b944137d76367459f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".omx/cc2/validate_issue_parity_intake.py"}, "region": {"startLine": 24}}}]}]}]}