{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 986 lines (recommend <300)", "shortDescription": {"text": "Average file size is 986 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility", "category": "error_handling", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 986 lines (recommend <300)", "shortDescription": {"text": "Average file size is 986 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility", "category": "error_handling", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.", "shortDescription": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/create-release` pinned to mutable ref `@v1`", "shortDescription": {"text": "Action `actions/create-release` pinned to mutable ref `@v1`"}, "fullDescription": {"text": "`uses: actions/create-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/18"}, "properties": {"repository": "evanw/esbuild", "repoUrl": "https://github.com/evanw/esbuild", "branch": "main"}, "results": [{"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 42056, "scanner": "repobility-threat-engine", "fingerprint": "3d1b0d26532bcbaea458e99a7e3024edf8adab0f778f017f838292b2d8eb75c0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d1b0d26532bcbaea458e99a7e3024edf8adab0f778f017f838292b2d8eb75c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/parse-ts-files.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 42055, "scanner": "repobility-threat-engine", "fingerprint": "2ed6ee1df0718eb8f3c8b3e946356653f69a0a22ac58debe0679679a8ce7bf0d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ed6ee1df0718eb8f3c8b3e946356653f69a0a22ac58debe0679679a8ce7bf0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/destructuring-fuzzer.js"}, "region": {"startLine": 139}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 42053, "scanner": "repobility-threat-engine", "fingerprint": "2df5e10991126b9f3b2f99168b43f035b12129bfea3bfbf717d18c5367c6f6ea", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/test262-async.js|40|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test262-async.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 42052, "scanner": "repobility-threat-engine", "fingerprint": "4b6ce983738742c15ea387fe5ba4b094e93d50005707ddcc43450afc2ba3dda1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new Function(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|121|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/destructuring-fuzzer.js"}, "region": {"startLine": 121}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 986 lines (recommend <300)"}, "properties": {"repobilityId": 2073, "scanner": "repobility-core", "fingerprint": "1f0e8a7e62016286f8ab51d2740888d058736a78b2867dbf2a3fcc2a18f24b7a", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|1f0e8a7e62016286f8ab51d2740888d058736a78b2867dbf2a3fcc2a18f24b7a"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 1271, "scanner": "repobility", "fingerprint": "21e7db29da3ad1ee98f849dbd04cc1f25fd7fb9a1007ef036ab95efeecdc462e", "category": "error_handling", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/js-api-tests.js"}, "region": {"startLine": 2904}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 1270, "scanner": "repobility", "fingerprint": "abe827beb2e94b95f2694e359aa4e12d00f84161551dd27d0c05999117c6ad39", "category": "error_handling", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/plugin-tests.js"}, "region": {"startLine": 1868}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 1269, "scanner": "repobility", "fingerprint": "3049ff3f80da968f64b608113138ec2098848566289a72b50c4fdbe151560d0b", "category": "error_handling", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/destructuring-fuzzer.js"}, "region": {"startLine": 139}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 986 lines (recommend <300)"}, "properties": {"repobilityId": 1264, "scanner": "repobility", "fingerprint": "732478a0d8b7be9ccc076f56983740ce7c58de42d0f7355801dc530403c86662", "category": "quality", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 42060, "scanner": "repobility-threat-engine", "fingerprint": "fcc8b7ff8a8451e8f044e7558187b8c38bc510c5aa83fecce4057d5c2f02048d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'\\x1B[32m[' + kind + ']\\x1B[0m'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fcc8b7ff8a8451e8f044e7558187b8c38bc510c5aa83fecce4057d5c2f02048d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test262-async.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 42005, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e40a4d584dfd4025a9ddeead8b851c026745f895603c63acefe621ec0d94557", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/terser-tests.js", "duplicate_line": 166, "correlation_key": "fp|1e40a4d584dfd4025a9ddeead8b851c026745f895603c63acefe621ec0d94557"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/uglify-tests.js"}, "region": {"startLine": 244}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 42004, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa2df6fe02f77aba0a794e9514a34d4243f4fbe03e453636c3069830264025f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/config/config.go", "duplicate_line": 146, "correlation_key": "fp|aa2df6fe02f77aba0a794e9514a34d4243f4fbe03e453636c3069830264025f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api.go"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 42003, "scanner": "repobility-ai-code-hygiene", "fingerprint": "baac25a7b5759a2c000d3cd95a69ea84e491ec4fe499a143850307e22c32ae7f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/deno/wasm.ts", "duplicate_line": 37, "correlation_key": "fp|baac25a7b5759a2c000d3cd95a69ea84e491ec4fe499a143850307e22c32ae7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/npm/browser.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 42002, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edce302a7923703ee631b493f749f82368d8714ca486cb48781fbb1b22e2cd4b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lib/deno/mod.ts", "duplicate_line": 6, "correlation_key": "fp|edce302a7923703ee631b493f749f82368d8714ca486cb48781fbb1b22e2cd4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/deno/wasm.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 42001, "scanner": "repobility-ai-code-hygiene", "fingerprint": "18f4b4880a691720d3c27e814185f0633be0a2a3c2df86e0a07f79041203a205", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/logger/logger_darwin.go", "duplicate_line": 10, "correlation_key": "fp|18f4b4880a691720d3c27e814185f0633be0a2a3c2df86e0a07f79041203a205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/logger/logger_linux.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 42000, "scanner": "repobility-ai-code-hygiene", "fingerprint": "18cb7b5af6c5775362a0cb692993daab2fa64c189c170085c593e82157b2abcb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat-table/src/caniuse.ts", "duplicate_line": 46, "correlation_key": "fp|18cb7b5af6c5775362a0cb692993daab2fa64c189c170085c593e82157b2abcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat-table/src/mdn.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41999, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b11e22e550725a26f15385cabcdf4b31f769466ee718714dcf15b242ef51253e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat-table/src/css_table.ts", "duplicate_line": 5, "correlation_key": "fp|b11e22e550725a26f15385cabcdf4b31f769466ee718714dcf15b242ef51253e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat-table/src/js_table.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 1275, "scanner": "repobility", "fingerprint": "2c585eb6ce1e6696d8ee08ffa7cfacf6b4be8bdd3f1a6877e675888b80769126", "category": "error_handling", "severity": "low", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/bundler/bundler.go"}, "region": {"startLine": 3421}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 1274, "scanner": "repobility", "fingerprint": "46bca32838b944840ea6f28c48cfd1135403ec0c0b681c08ae6c42c55fcaedae", "category": "error_handling", "severity": "low", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js_lexer/js_lexer.go"}, "region": {"startLine": 643}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 1273, "scanner": "repobility", "fingerprint": "a1cd73710817219b1ff45cdd957a6ce92fb43f61fbb821d26393f45dd4f6413c", "category": "error_handling", "severity": "low", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js_parser/ts_parser.go"}, "region": {"startLine": 992}}}]}, {"ruleId": "SEC015", "level": "note", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 1267, "scanner": "repobility", "fingerprint": "23849761ec7ccc9fa227d1605a3f012d42913bf4d84bc5e432a553d18a929a80", "category": "crypto", "severity": "low", "confidence": null, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "No security-sensitive keywords nearby \u2014 may be non-security use (UI, shuffling, etc.)", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ts-type-tests.js"}, "region": {"startLine": 194}}}]}, {"ruleId": "SEC015", "level": "note", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 1266, "scanner": "repobility", "fingerprint": "61f0e4bf359da843858be859c738d91bb68662636bee78a3071b045737fa16b8", "category": "crypto", "severity": "low", "confidence": null, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "No security-sensitive keywords nearby \u2014 may be non-security use (UI, shuffling, etc.)", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/destructuring-fuzzer.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC015", "level": "note", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 1265, "scanner": "repobility", "fingerprint": "e1186711a3a97cdb0ecbe94da4608323dbb0478493ed7931f5bde240b6ea9724", "category": "crypto", "severity": "low", "confidence": null, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "No security-sensitive keywords nearby \u2014 may be non-security use (UI, shuffling, etc.)", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/esbuild.js"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 42051, "scanner": "repobility-threat-engine", "fingerprint": "616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "aggregated_count": 5}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 42050, "scanner": "repobility-threat-engine", "fingerprint": "2fe4d34dfab9b4303b053680fb12c75b303f020f9827ae7bc0e058c519616cf0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2fe4d34dfab9b4303b053680fb12c75b303f020f9827ae7bc0e058c519616cf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/node-unref-tests.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 42049, "scanner": "repobility-threat-engine", "fingerprint": "3227e5d95f66dcf4ad4de3143b7747cf45434f7a7a234958b24b9202f5529d0e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3227e5d95f66dcf4ad4de3143b7747cf45434f7a7a234958b24b9202f5529d0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/browser/browser-tests.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 42048, "scanner": "repobility-threat-engine", "fingerprint": "36007b3c8591b0dd5f54f886c1257cdffcc2e017f56ba13f4189309ca8d1f346", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|36007b3c8591b0dd5f54f886c1257cdffcc2e017f56ba13f4189309ca8d1f346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "require/yarnpnp/in.mjs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 42045, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 42040, "scanner": "repobility-threat-engine", "fingerprint": "3523b02b6171c26a0da0ebce5a8680b54d474b1aa8dce9287808c8551c0d1319", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3523b02b6171c26a0da0ebce5a8680b54d474b1aa8dce9287808c8551c0d1319"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat-table/src/mdn.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 42039, "scanner": "repobility-threat-engine", "fingerprint": "b8329f046c004e150d024efd08ccb1cbf77e1e4d14c687551d164de5c80c47f4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8329f046c004e150d024efd08ccb1cbf77e1e4d14c687551d164de5c80c47f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat-table/src/js_table.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 42038, "scanner": "repobility-threat-engine", "fingerprint": "8e7842366dcf25ad47c988b1c9e183cff1454b4b011f9fce9bd6b4152877d112", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e7842366dcf25ad47c988b1c9e183cff1454b4b011f9fce9bd6b4152877d112"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat-table/src/css_table.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 42034, "scanner": "repobility-threat-engine", "fingerprint": "9b3140f1a544f1ef1e4ee1c8fe4f37d0e07d4cf440fa514118050d9d52cbc42e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9b3140f1a544f1ef1e4ee1c8fe4f37d0e07d4cf440fa514118050d9d52cbc42e", "aggregated_count": 4}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 42033, "scanner": "repobility-threat-engine", "fingerprint": "91c9c1d060f3d5865d53108f01023259a4fe616a4df5dab3bb367437404008d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91c9c1d060f3d5865d53108f01023259a4fe616a4df5dab3bb367437404008d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/helpers/timer.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 42032, "scanner": "repobility-threat-engine", "fingerprint": "c21a53106697ce1bc8228b6a508843c69508b0337a7eb11540be1b5437a2d797", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c21a53106697ce1bc8228b6a508843c69508b0337a7eb11540be1b5437a2d797"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/fs/fs_mock.go"}, "region": {"startLine": 320}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 42031, "scanner": "repobility-threat-engine", "fingerprint": "aaeae42f49ddd9987ba89038984e3b4d5b06e6aa140e4cdba4393a0bb14b120e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aaeae42f49ddd9987ba89038984e3b4d5b06e6aa140e4cdba4393a0bb14b120e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/esbuild/stdio_protocol.go"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 2082, "scanner": "repobility-threat-engine", "fingerprint": "d59ef04c625ea230de3686601d6a96403b434fd1f2d176f8903399c6897aa471", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(process.env.NODE_ENV)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/js-api-tests.js"}, "region": {"startLine": 6596}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 1276, "scanner": "repobility", "fingerprint": "884d7a339544c6c2ac59cff6144a7144394025d16bc37da533dd6b137c13c230", "category": "error_handling", "severity": "info", "confidence": null, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Deduplicated: 2 additional occurrences found", "evidence": {}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 1272, "scanner": "repobility", "fingerprint": "0208b64098ff4103232d1d6613a378c75c43627bf735aecb90d016c39fbe7e6a", "category": "error_handling", "severity": "info", "confidence": null, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Deduplicated: 2 additional occurrences found", "evidence": {}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 1268, "scanner": "repobility", "fingerprint": "cc977aab0100034b531b8fc83b0504e71d7a5fcf6466d2b506e3a601a34c191d", "category": "crypto", "severity": "info", "confidence": null, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Deduplicated: 3 additional occurrences found", "evidence": {}}}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 42059, "scanner": "repobility-threat-engine", "fingerprint": "36495e64b164334e16b71014c5570b97279b5dab0e66453dece5ffa4c96e3943", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(js", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|36495e64b164334e16b71014c5570b97279b5dab0e66453dece5ffa4c96e3943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test262-async.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 42058, "scanner": "repobility-threat-engine", "fingerprint": "abe4f43884b4349cd14237ce8776f0f7f8d386025aaf7e452d9665b3b8fdfcc2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "child_process.execSync(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|abe4f43884b4349cd14237ce8776f0f7f8d386025aaf7e452d9665b3b8fdfcc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test-yarnpnp.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 42047, "scanner": "repobility-threat-engine", "fingerprint": "62af78d56dc27f062e902d251decca555244cea7c02e3594793cccbddb046706", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62af78d56dc27f062e902d251decca555244cea7c02e3594793cccbddb046706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js_parser/json_parser.go"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 42046, "scanner": "repobility-threat-engine", "fingerprint": "418af5864f57bd8ac182177b63bc484f103808012f0c8fd4e708656223e34a77", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|418af5864f57bd8ac182177b63bc484f103808012f0c8fd4e708656223e34a77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/js_parser/global_name_parser.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 42044, "scanner": "repobility-threat-engine", "fingerprint": "63a7c379d14d6730e9ad851786231e4c2a21619cdd9587becef59ac4705df3ed", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|63a7c379d14d6730e9ad851786231e4c2a21619cdd9587becef59ac4705df3ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/resolver/dataurl.go"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 42043, "scanner": "repobility-threat-engine", "fingerprint": "1288c08ac7e847ca37ec4390e1d5302643c7a1cf22e7cbf5463327d41853dc9a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1288c08ac7e847ca37ec4390e1d5302643c7a1cf22e7cbf5463327d41853dc9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/helpers/path.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 42042, "scanner": "repobility-threat-engine", "fingerprint": "6f66a9eaeece35bc29bbdbd50214f6a771e0dc026630ce7327e45ed237d902a5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6f66a9eaeece35bc29bbdbd50214f6a771e0dc026630ce7327e45ed237d902a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/helpers/dataurl.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 42041, "scanner": "repobility-threat-engine", "fingerprint": "876ca59826ac930d59d390d34dfc123857cbe65033f244bd93ee5a3517a3d1a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|876ca59826ac930d59d390d34dfc123857cbe65033f244bd93ee5a3517a3d1a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/fs/iswin_wasm.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 42037, "scanner": "repobility-threat-engine", "fingerprint": "7b95bcc376989a431fc5f6be7cf17accc1fa773caf985839277b81e99f2070ac", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}=${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b95bcc376989a431fc5f6be7cf17accc1fa773caf985839277b81e99f2070ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/browser/browser-tests.js"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 42036, "scanner": "repobility-threat-engine", "fingerprint": "a2a1c1ca1be529772c2341f4bff81ec24a26faf78f14ac3d1d70f3e682bf0fc4", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `\\t${(key + ':').padEnd(maxLength)} ${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a2a1c1ca1be529772c2341f4bff81ec24a26faf78f14ac3d1d70f3e682bf0fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat-table/src/js_table.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 42035, "scanner": "repobility-threat-engine", "fingerprint": "6f4aecafc165d428958e3dd65197ab87dbf3d43485f4c3860f311d1555f37e33", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `\\t${(key + ':').padEnd(maxLength)} ${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6f4aecafc165d428958e3dd65197ab87dbf3d43485f4c3860f311d1555f37e33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat-table/src/css_table.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-release` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 42030, "scanner": "repobility-supply-chain", "fingerprint": "7e8e4101d5ebf5a2c78953fcb04b259d09e541f6adb797569ec7971a5294c22e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e8e4101d5ebf5a2c78953fcb04b259d09e541f6adb797569ec7971a5294c22e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42029, "scanner": "repobility-supply-chain", "fingerprint": "6237f2b305c392787cca1010745f38f664f9a5f68a30c4ea2f0c3f6f10b29dec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6237f2b305c392787cca1010745f38f664f9a5f68a30c4ea2f0c3f6f10b29dec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42028, "scanner": "repobility-supply-chain", "fingerprint": "7ae71bc82bee9bbcb003a18723bd6b3fed329f8bae0d7a611da514db0cbfc47f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ae71bc82bee9bbcb003a18723bd6b3fed329f8bae0d7a611da514db0cbfc47f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42027, "scanner": "repobility-supply-chain", "fingerprint": "a5d40d9a1160b2c5273e26b9e8421c84b37d9bd7cb4868448d6d6fbf7ea1ae18", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5d40d9a1160b2c5273e26b9e8421c84b37d9bd7cb4868448d6d6fbf7ea1ae18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42026, "scanner": "repobility-supply-chain", "fingerprint": "a220029a4022739f4d804f966945665a447c18bb6a6bf5cb37130ab83d3aee52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a220029a4022739f4d804f966945665a447c18bb6a6bf5cb37130ab83d3aee52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42025, "scanner": "repobility-supply-chain", "fingerprint": "6b073017aa6ba9253e8350b6f0d127e06eeead24433612e70cee32be2eaadc06", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b073017aa6ba9253e8350b6f0d127e06eeead24433612e70cee32be2eaadc06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `denoland/setup-deno` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 42024, "scanner": "repobility-supply-chain", "fingerprint": "4fbb1c7ae3dd62dbce01966802d3eac488c9c842f1f0ef95e793fc22adda9e3e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fbb1c7ae3dd62dbce01966802d3eac488c9c842f1f0ef95e793fc22adda9e3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42023, "scanner": "repobility-supply-chain", "fingerprint": "32e87cf30bed11a454cc77d79e847763947c08b5967591f7cd7352aeb1dc1455", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|32e87cf30bed11a454cc77d79e847763947c08b5967591f7cd7352aeb1dc1455"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42022, "scanner": "repobility-supply-chain", "fingerprint": "eba0f05d4a21ec50037de54d6ed96d1314e8812e049df270ca1dbb3986cc50da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eba0f05d4a21ec50037de54d6ed96d1314e8812e049df270ca1dbb3986cc50da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42021, "scanner": "repobility-supply-chain", "fingerprint": "ef742bb588b1b82680c9ec8c83f238c1ec911a5f36bdef2da008720a674662e1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef742bb588b1b82680c9ec8c83f238c1ec911a5f36bdef2da008720a674662e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 320}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `denoland/setup-deno` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 42020, "scanner": "repobility-supply-chain", "fingerprint": "878fa552415bbfb8852be0fa5e45de67f2e2172a109dfca604bcaea64339529a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|878fa552415bbfb8852be0fa5e45de67f2e2172a109dfca604bcaea64339529a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 315}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42019, "scanner": "repobility-supply-chain", "fingerprint": "0550bab5b63f0b67527f4b3af799bf97746d0d7965012d2095a454fad1cac05e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0550bab5b63f0b67527f4b3af799bf97746d0d7965012d2095a454fad1cac05e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42018, "scanner": "repobility-supply-chain", "fingerprint": "5f6eb998aa04a78f32897efea8653050b35146bb9aee56732c60b299c770b5f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f6eb998aa04a78f32897efea8653050b35146bb9aee56732c60b299c770b5f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 294}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42017, "scanner": "repobility-supply-chain", "fingerprint": "7b8ede7dea8b98017193043ed40c11af737c562f986e7805c4e7b3015080cafc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b8ede7dea8b98017193043ed40c11af737c562f986e7805c4e7b3015080cafc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42016, "scanner": "repobility-supply-chain", "fingerprint": "0016120607d735ad8bd2da2cb7ac94684d8fddcba665cc8fd4fa1878f8d23d7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0016120607d735ad8bd2da2cb7ac94684d8fddcba665cc8fd4fa1878f8d23d7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `denoland/setup-deno` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 42015, "scanner": "repobility-supply-chain", "fingerprint": "4ab219fe9ef7eeece39331b7ca7b367805b3698be8f26622f53fb2916cb322fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ab219fe9ef7eeece39331b7ca7b367805b3698be8f26622f53fb2916cb322fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42014, "scanner": "repobility-supply-chain", "fingerprint": "54f4c621307ca763044df1a81cd8ed7c4f36e2eb034e091de5a0a23ec91c97d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54f4c621307ca763044df1a81cd8ed7c4f36e2eb034e091de5a0a23ec91c97d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42013, "scanner": "repobility-supply-chain", "fingerprint": "6af04870927d0364fff32c7cd4ce03d98643288551a044ba9ede1f80fa8fa779", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6af04870927d0364fff32c7cd4ce03d98643288551a044ba9ede1f80fa8fa779"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42012, "scanner": "repobility-supply-chain", "fingerprint": "abbbd70cc28a1eacba1f99fa631a961196c4909924ae2a96b55d96714978b43d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|abbbd70cc28a1eacba1f99fa631a961196c4909924ae2a96b55d96714978b43d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42011, "scanner": "repobility-supply-chain", "fingerprint": "5be22073d4e24ad9fbc68f8c9f0d74959a3eea2cde813f1d040c74fd0ec3558d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5be22073d4e24ad9fbc68f8c9f0d74959a3eea2cde813f1d040c74fd0ec3558d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42010, "scanner": "repobility-supply-chain", "fingerprint": "04504010969c7002894d39e4cea0de146b9f1731f31e5bbc3b3b5ece95aeeba4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04504010969c7002894d39e4cea0de146b9f1731f31e5bbc3b3b5ece95aeeba4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42009, "scanner": "repobility-supply-chain", "fingerprint": "01e4ee05fdcf0f13c0d368f286ceac98a6005bf17e193420ea93e290a83c4667", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01e4ee05fdcf0f13c0d368f286ceac98a6005bf17e193420ea93e290a83c4667"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42008, "scanner": "repobility-supply-chain", "fingerprint": "9a0e65c20599bd066e73602a2d5d7402f6ed54c302b7ffe042a08fa59d951362", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a0e65c20599bd066e73602a2d5d7402f6ed54c302b7ffe042a08fa59d951362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42007, "scanner": "repobility-supply-chain", "fingerprint": "383d4ac34255893e28cbf044837fa4efbc852a774f00d829113402d880d028d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|383d4ac34255893e28cbf044837fa4efbc852a774f00d829113402d880d028d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 42006, "scanner": "repobility-supply-chain", "fingerprint": "800393782cc5eac7316b44b56422f16a7c3c5069f6c7ee522ba34fef2a4006d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|800393782cc5eac7316b44b56422f16a7c3c5069f6c7ee522ba34fef2a4006d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 42057, "scanner": "repobility-threat-engine", "fingerprint": "b6f67f4f321b15d2574edf219d1df3b84e0272c780970be3759749ea9d2b349f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require($", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6f67f4f321b15d2574edf219d1df3b84e0272c780970be3759749ea9d2b349f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/register-test.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 42054, "scanner": "repobility-threat-engine", "fingerprint": "c1da35b7ba263b1b9ff664053c259d31a6584b71318443b39a7aae656e5cd1dc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c1da35b7ba263b1b9ff664053c259d31a6584b71318443b39a7aae656e5cd1dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/destructuring-fuzzer.js"}, "region": {"startLine": 121}}}]}]}]}