{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/242"}, "properties": {"repository": "facebook/lexical", "repoUrl": "https://github.com/facebook/lexical", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 22739, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 22735, "scanner": "repobility-threat-engine", "fingerprint": "daef190ece41ef56bc495024c046e0a3b8532bdf403efd52b071d5b6c6ab048d", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|180|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/plugins/AutoEmbedPlugin/index.tsx"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 22730, "scanner": "repobility-threat-engine", "fingerprint": "d5f677a0a5bec31ae275df289fb5ff8c052d872b3fecfe645d677e3c16575db5", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`(?:${regex.source})$`, regex.flags);\n\nexport const listMarkerState = createState('mdList", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5f677a0a5bec31ae275df289fb5ff8c052d872b3fecfe645d677e3c16575db5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-markdown/src/MarkdownTransformers.ts"}, "region": {"startLine": 229}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 22740, "scanner": "repobility-web-presence", "fingerprint": "921d92370e650021b3ced6e16a07d614b1f6322ba8f1a145e6149922ec4eb0e2", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|921d92370e650021b3ced6e16a07d614b1f6322ba8f1a145e6149922ec4eb0e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/extension-sveltekit-ssr-hydration/static/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 22738, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 22737, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 22736, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 22733, "scanner": "repobility-threat-engine", "fingerprint": "8c1b1184fc03c1c77278155a075d5afcade93789137fce3cfeedb16994bd8946", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|497|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-devtools-core/src/generateContent.ts"}, "region": {"startLine": 497}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22719, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad778a25f7e4c2633ee750a481d095f3a921a445b2ac0ceda85d87bb995b0763", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-extension/src/index.ts", "duplicate_line": 72, "correlation_key": "fp|ad778a25f7e4c2633ee750a481d095f3a921a445b2ac0ceda85d87bb995b0763"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical/src/extension-core/index.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22718, "scanner": "repobility-ai-code-hygiene", "fingerprint": "08195f3b31a57f56823ae6fe91597281dca0965c5430b06aa6cf9559695d6866", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-clipboard/src/clipboard.ts", "duplicate_line": 377, "correlation_key": "fp|08195f3b31a57f56823ae6fe91597281dca0965c5430b06aa6cf9559695d6866"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical/src/LexicalEditorState.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22717, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d97e483b05612d49c526413d44e206b2750f67b0f466c9958476e21dd87baa2c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/plugins/ComponentPickerPlugin/index.tsx", "duplicate_line": 75, "correlation_key": "fp|d97e483b05612d49c526413d44e206b2750f67b0f466c9958476e21dd87baa2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/shared/LexicalMenu.tsx"}, "region": {"startLine": 237}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22716, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7204c7ae6bb8d7db0f93da903deb2808dca19d68bd9698a8c9e0a228b78f24ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-react/src/LexicalTypeaheadMenuPlugin.tsx", "duplicate_line": 90, "correlation_key": "fp|7204c7ae6bb8d7db0f93da903deb2808dca19d68bd9698a8c9e0a228b78f24ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/shared/LexicalMenu.tsx"}, "region": {"startLine": 127}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22715, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e469fffb7ad59dfe3a1d1bc9bc805c69d33a9b403754fc81b61df68ed9326df9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-react/src/LexicalPlainTextPlugin.tsx", "duplicate_line": 11, "correlation_key": "fp|e469fffb7ad59dfe3a1d1bc9bc805c69d33a9b403754fc81b61df68ed9326df9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/LexicalRichTextPlugin.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16288e04f34f70e83e4da8e522d9f0eefca65ed20db9ed1c5871e543328e8fb9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/plugins/MarkdownTransformers/index.ts", "duplicate_line": 45, "correlation_key": "fp|16288e04f34f70e83e4da8e522d9f0eefca65ed20db9ed1c5871e543328e8fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/LexicalMarkdownShortcutPlugin.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "925847cfa8a43bedd05511ef245cc8821b8f9e09445a2c435fd3f15baa1799f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-extension/src/HorizontalRuleExtension.ts", "duplicate_line": 125, "correlation_key": "fp|925847cfa8a43bedd05511ef245cc8821b8f9e09445a2c435fd3f15baa1799f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/LexicalHorizontalRulePlugin.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7372813d1b71b96c6ac9bad23ea056712187daf489367bfd7d17f275a203d06d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-extension/src/HorizontalRuleExtension.ts", "duplicate_line": 39, "correlation_key": "fp|7372813d1b71b96c6ac9bad23ea056712187daf489367bfd7d17f275a203d06d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/LexicalHorizontalRuleNode.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "13d4a34b62e72565d95d8db71ca6cb6a9b011820ab734e521aa16361bf8e95f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/nodes/PageBreakNode/index.tsx", "duplicate_line": 31, "correlation_key": "fp|13d4a34b62e72565d95d8db71ca6cb6a9b011820ab734e521aa16361bf8e95f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/LexicalHorizontalRuleNode.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12342e679519e92b7a702703919f8f2abd81c3c1aea833b068f4de7498b5d9cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/nodes/PageBreakNode/index.tsx", "duplicate_line": 31, "correlation_key": "fp|12342e679519e92b7a702703919f8f2abd81c3c1aea833b068f4de7498b5d9cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/LexicalBlockWithAlignableContents.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2ab2c6744719ae562d2e82331c8995cbc5b3d43051b8c821eaf7e265990ba1d0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/utils/setFloatingElemPosition.ts", "duplicate_line": 8, "correlation_key": "fp|2ab2c6744719ae562d2e82331c8995cbc5b3d43051b8c821eaf7e265990ba1d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/utils/setFloatingElemPositionForLinkEditor.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ade0257ab0e5c8ac7fc08bf7abc9f2264a2c3d9f40b35d5da37ba820e685ceca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/plugins/PageBreakExtension/index.ts", "duplicate_line": 1, "correlation_key": "fp|ade0257ab0e5c8ac7fc08bf7abc9f2264a2c3d9f40b35d5da37ba820e685ceca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/plugins/PageBreakExtension/index.tsx"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "988ab72554f947f7f7e121b5b653644ca380d122fff12265a85482fb920f1c8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/plugins/ComponentPickerPlugin/index.tsx", "duplicate_line": 334, "correlation_key": "fp|988ab72554f947f7f7e121b5b653644ca380d122fff12265a85482fb920f1c8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/plugins/DraggableBlockPlugin/index.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "832943f654ea1fce6b69c6c5b60e328562cee98187017844f6a14e94158f3768", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/nodes/FigmaNode.tsx", "duplicate_line": 2, "correlation_key": "fp|832943f654ea1fce6b69c6c5b60e328562cee98187017844f6a14e94158f3768"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/nodes/YouTubeNode.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "92f2d6d9925be42e457935b49f5e629d3e28a999e22b24cf00e5beb6a9f0d68b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/nodes/TweetNode.tsx", "duplicate_line": 1, "correlation_key": "fp|92f2d6d9925be42e457935b49f5e629d3e28a999e22b24cf00e5beb6a9f0d68b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/nodes/YouTubeNode.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "52b6f2d04a9627f872718a7ddcf9832356ef0b9cfed230087bc47c5fbccd3ff2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/nodes/FigmaNode.tsx", "duplicate_line": 2, "correlation_key": "fp|52b6f2d04a9627f872718a7ddcf9832356ef0b9cfed230087bc47c5fbccd3ff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/nodes/TweetNode.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8fe5d82f04af2100abe93cd7f08a4fb0b5649f58bbb6900b77dcafef99df8379", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/nodes/PageBreakNode/index.tsx", "duplicate_line": 31, "correlation_key": "fp|8fe5d82f04af2100abe93cd7f08a4fb0b5649f58bbb6900b77dcafef99df8379"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/nodes/PollComponent.tsx"}, "region": {"startLine": 139}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca8ad939c2dbe0538c37ee559a1f12d96665bd1d1e60538c7aa467d3e4477e1b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-playground/src/nodes/ExcalidrawNode/index.tsx", "duplicate_line": 84, "correlation_key": "fp|ca8ad939c2dbe0538c37ee559a1f12d96665bd1d1e60538c7aa467d3e4477e1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/nodes/ImageNode.tsx"}, "region": {"startLine": 297}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 22701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9409eea91dbcd62fb5c70de02ed3a74ebc64e1c8362383dc78b9235db1a4e463", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/lexical-code-prism/src/CodeHighlighterPrism.ts", "duplicate_line": 1, "correlation_key": "fp|9409eea91dbcd62fb5c70de02ed3a74ebc64e1c8362383dc78b9235db1a4e463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-code-shiki/src/CodeHighlighterShiki.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 22734, "scanner": "repobility-threat-engine", "fingerprint": "d9f1affcacb96541cb9dfea69fa7d055adaca1abde44138d49cbaaea5562cb22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d9f1affcacb96541cb9dfea69fa7d055adaca1abde44138d49cbaaea5562cb22"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 22727, "scanner": "repobility-threat-engine", "fingerprint": "9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 22726, "scanner": "repobility-threat-engine", "fingerprint": "538c576e37330fb37bd7899b231e5f04f6fce9daf3e526ae0184e28dadeb5aae", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|41|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/commenting/index.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 22725, "scanner": "repobility-threat-engine", "fingerprint": "f127734f34f7a495a48969c8a3c818c805a4e4b705c8ee39a4a828d2f759c0b5", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|720|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical/src/LexicalUtils.ts"}, "region": {"startLine": 720}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 22724, "scanner": "repobility-threat-engine", "fingerprint": "89fe4e12660abb8011b90b7031286c559c6861322af01ac4a425ffa2924fba84", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|40|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/LexicalCollaborationContext.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 22723, "scanner": "repobility-threat-engine", "fingerprint": "54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864"}}}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 22732, "scanner": "repobility-threat-engine", "fingerprint": "ae585a875ffc22f35c48e0774830fb95432b142c78373909ec5319d5e2648113", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|18|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/vanilla-js/src/main.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 22731, "scanner": "repobility-threat-engine", "fingerprint": "a434d1fc09e8ba26c41cf10358fa0ecb86cd81432ed8cef5ae42821439b35b07", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|20|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/vanilla-js-plugin/src/main.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 22729, "scanner": "repobility-threat-engine", "fingerprint": "c6a3c04b3d1c4668df2b27deb669793ab8158ea9e1afc3d21305c0bc21d23565", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c6a3c04b3d1c4668df2b27deb669793ab8158ea9e1afc3d21305c0bc21d23565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-playground/src/plugins/ActionsPlugin/index.tsx"}, "region": {"startLine": 168}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 22728, "scanner": "repobility-threat-engine", "fingerprint": "4686cb68d6bfd2a73d067dda86dfcca7712b6b22a45586b934c390cb090dacc8", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4686cb68d6bfd2a73d067dda86dfcca7712b6b22a45586b934c390cb090dacc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-clipboard/src/clipboard.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22722, "scanner": "repobility-threat-engine", "fingerprint": "d57e9870f431d1a32a1f178213b887c9ed2861a751113b970b6bb9415a7c37fd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d57e9870f431d1a32a1f178213b887c9ed2861a751113b970b6bb9415a7c37fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-react/src/LexicalAutoEmbedPlugin.tsx"}, "region": {"startLine": 177}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22721, "scanner": "repobility-threat-engine", "fingerprint": "2f7df36fe424ea3cfb3bc139f6db8f0279de89ab06d3ff403f3990d15f64d847", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f7df36fe424ea3cfb3bc139f6db8f0279de89ab06d3ff403f3990d15f64d847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/lexical-utils/src/index.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22720, "scanner": "repobility-threat-engine", "fingerprint": "9ec81341dc4e2240de2a2e85f82b8ac2b4ddd19bff8df346a2ef468365b4a216", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9ec81341dc4e2240de2a2e85f82b8ac2b4ddd19bff8df346a2ef468365b4a216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update-tsconfig.mjs"}, "region": {"startLine": 112}}}]}]}]}