{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` re", "shortDescription": {"text": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-fi"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-release-asset@<40-char-sha>  # v1` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1276"}, "properties": {"repository": "obsidian-tasks-group/obsidian-tasks", "repoUrl": "https://github.com/obsidian-tasks-group/obsidian-tasks", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 129376, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 129375, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 129370, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 129357, "scanner": "repobility-threat-engine", "fingerprint": "8f5ade29b53012feac3b7d67d3c6a2ded7902d3a0e75d4e106feab6a6138527f", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n    [\n        // Match the opening double braces `{{`\n        '\\\\{\\\\{',\n\n        // Lazi", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f5ade29b53012feac3b7d67d3c6a2ded7902d3a0e75d4e106feab6a6138527f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Scripting/ExpandPlaceholders.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 129341, "scanner": "repobility-threat-engine", "fingerprint": "c6776467851f43d32d724fc72bba6bcfbb51c2fdd8cf4c4ea02ed0b058cfeb89", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|136|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Query/Filter/BooleanPreprocessor.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 129340, "scanner": "repobility-threat-engine", "fingerprint": "c3e2df2b4986ada72958b680d18cc08109595393fdb0c6749bda8ab8ae4bc8db", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|58|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Query/Filter/BooleanDelimiters.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 129339, "scanner": "repobility-threat-engine", "fingerprint": "923870d59d6864bf0992189ce9a7282bad05abe599dd809f26594a72dfac17ca", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|56|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/DateTime/DateFallback.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 129323, "scanner": "repobility-threat-engine", "fingerprint": "11edb4138f13646d036241f321e42c288bcfb033492d4f40dde1ada4c08ba0d0", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "window.open(e)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|30|sec041", "duplicate_count": 1, "duplicate_rule_ids": ["SEC041"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["11edb4138f13646d036241f321e42c288bcfb033492d4f40dde1ada4c08ba0d0", "e42867f5a486374751e82454a3c4c419008068502e15825c24e1ee2c15ebf252"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contributing/.obsidian/plugins/copy-publish-url/main.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 129374, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 129373, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 129372, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 129371, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129369, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa8bf1a0f3fd0d2fb85f9914db6dd22f24f41317cbeafad820bee4eb39a32da6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Query/Filter/DependsOnField.ts", "duplicate_line": 11, "correlation_key": "fp|fa8bf1a0f3fd0d2fb85f9914db6dd22f24f41317cbeafad820bee4eb39a32da6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Query/Filter/IdField.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129368, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb836a8d2dc69ba98fde752734f618bdc9f6bfa5cffcc7959af80272461d9bcc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Config/Themes/MinimalThemeCollection.ts", "duplicate_line": 3, "correlation_key": "fp|fb836a8d2dc69ba98fde752734f618bdc9f6bfa5cffcc7959af80272461d9bcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Config/Themes/ThingsThemeCollection.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129367, "scanner": "repobility-ai-code-hygiene", "fingerprint": "578749f1881b1334d29496dc349e30753d4b63bc989fa4187c2f2ac7ac306fad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Config/Themes/AnuPpuccinThemeCollection.ts", "duplicate_line": 3, "correlation_key": "fp|578749f1881b1334d29496dc349e30753d4b63bc989fa4187c2f2ac7ac306fad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Config/Themes/LYTModeThemeCollection.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129366, "scanner": "repobility-ai-code-hygiene", "fingerprint": "50b1aa7c38dbad133775c7954e4ea5a66c38af1702d585aa6d2a4ca2140aaac8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contributing/.obsidian/plugins/vault-nickname/main.js", "duplicate_line": 11, "correlation_key": "fp|50b1aa7c38dbad133775c7954e4ea5a66c38af1702d585aa6d2a4ca2140aaac8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/vault-nickname/main.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129365, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b3732422ef989a5acdbb4fcc29a6a61c877b221e18b49b6e5fb09c2094201af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contributing/.obsidian/plugins/vault-name-status-bar/main.js", "duplicate_line": 1, "correlation_key": "fp|4b3732422ef989a5acdbb4fcc29a6a61c877b221e18b49b6e5fb09c2094201af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/vault-nickname/main.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129364, "scanner": "repobility-ai-code-hygiene", "fingerprint": "989da6af640e119035425e9ee1df9f1f09e5911af866d0ddc8b37f7a5a6eaf44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contributing/.obsidian/plugins/vault-name-status-bar/main.js", "duplicate_line": 1, "correlation_key": "fp|989da6af640e119035425e9ee1df9f1f09e5911af866d0ddc8b37f7a5a6eaf44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/vault-name-status-bar/main.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129363, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ae10c2000777ef4e941bc97db25f386bd12f8821989e4c2df03532c256d03d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contributing/.obsidian/plugins/templater-obsidian/main.js", "duplicate_line": 1, "correlation_key": "fp|9ae10c2000777ef4e941bc97db25f386bd12f8821989e4c2df03532c256d03d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/templater-obsidian/main.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129362, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3123d3c605675694cb5087d800d27c55b5c87ac40d9568a352d332c802fa818c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contributing/.obsidian/plugins/table-editor-obsidian/main.js", "duplicate_line": 1, "correlation_key": "fp|3123d3c605675694cb5087d800d27c55b5c87ac40d9568a352d332c802fa818c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/table-editor-obsidian/main.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129361, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c6863a9b15b16b6ca7f3b9e8670ca3e88d34a1ad50b60ae5e09f91b97e3c8a8f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contributing/.obsidian/plugins/reveal-active-file-button/main.js", "duplicate_line": 1, "correlation_key": "fp|c6863a9b15b16b6ca7f3b9e8670ca3e88d34a1ad50b60ae5e09f91b97e3c8a8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/reveal-active-file-button/main.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129360, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a923c317a39c4c64c1d1ace4e5bb5013fe792691ff0f7107c99115ce9d6cfa5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contributing/.obsidian/plugins/vault-name-status-bar/main.js", "duplicate_line": 1, "correlation_key": "fp|3a923c317a39c4c64c1d1ace4e5bb5013fe792691ff0f7107c99115ce9d6cfa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contributing/.obsidian/plugins/vault-nickname/main.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 129351, "scanner": "repobility-threat-engine", "fingerprint": "8b7a65b36d9a484bd6dbbf770d467e4eb0958f941f6d9de853f3a976e764f3fd", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.warn(\n                'Unexpected failure to create a list item from line: ' + line + '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8b7a65b36d9a484bd6dbbf770d467e4eb0958f941f6d9de853f3a976e764f3fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Obsidian/FileParser.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 129331, "scanner": "repobility-threat-engine", "fingerprint": "8b17b398edd7b3487ea834784506538a43bd077750f1e2566cc38b84547be811", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = R", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|110|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/reveal-active-file-button/main.js"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 129359, "scanner": "repobility-threat-engine", "fingerprint": "5b7b87fe44180492d40d0650f8a5f17b5d9b0bb67c178489ab3f956a165d0607", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b7b87fe44180492d40d0650f8a5f17b5d9b0bb67c178489ab3f956a165d0607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Suggestor/EditorSuggestorPopup.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 129355, "scanner": "repobility-threat-engine", "fingerprint": "814505ea9c56c1cdf3329a6624808f8471bdb2072be6a6109dd09cedc8ec8c7b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|814505ea9c56c1cdf3329a6624808f8471bdb2072be6a6109dd09cedc8ec8c7b"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 129350, "scanner": "repobility-threat-engine", "fingerprint": "b58df9499acfd10b1e20b964429ac887f20e8cc016c1011756c8f46ae09a5873", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b58df9499acfd10b1e20b964429ac887f20e8cc016c1011756c8f46ae09a5873", "aggregated_count": 3}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 129349, "scanner": "repobility-threat-engine", "fingerprint": "b7381a3ff615df185d11054c6dc6c0b92c0fd17236e64f0e8fd19d5b47303a81", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7381a3ff615df185d11054c6dc6c0b92c0fd17236e64f0e8fd19d5b47303a81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Scripting/ExpandPlaceholders.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 129348, "scanner": "repobility-threat-engine", "fingerprint": "cfa56354cd79983a5f1b515f62c9c051bace50b58515352d0e61d1c2b3ccc354", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cfa56354cd79983a5f1b515f62c9c051bace50b58515352d0e61d1c2b3ccc354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Obsidian/FileParser.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 129347, "scanner": "repobility-threat-engine", "fingerprint": "67a9ba154a703d6cca5b4f8f7aeaba54990b3583cd6cd4a2ac807cd2b04c8c24", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67a9ba154a703d6cca5b4f8f7aeaba54990b3583cd6cd4a2ac807cd2b04c8c24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/IQuery.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 129346, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 129342, "scanner": "repobility-threat-engine", "fingerprint": "f50747163d70dab1fa2519c9a96d374fa64771763e354f97facd6a46500faf29", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f50747163d70dab1fa2519c9a96d374fa64771763e354f97facd6a46500faf29"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 129335, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 129334, "scanner": "repobility-threat-engine", "fingerprint": "d70c53844613a36f208d697c2e23a4aad3f6e0b17c98a1dd23e9885a38e60d92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d70c53844613a36f208d697c2e23a4aad3f6e0b17c98a1dd23e9885a38e60d92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Commands/CreateOrEdit.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 129333, "scanner": "repobility-threat-engine", "fingerprint": "c3410434a045cd5247ac147bf63619cd42c2350cab83112fed5d3aa3ba93f810", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3410434a045cd5247ac147bf63619cd42c2350cab83112fed5d3aa3ba93f810"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Commands/CreateEditorCallback.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 129332, "scanner": "repobility-threat-engine", "fingerprint": "ca933fcbe90655217e97457ae41b139d288942c5d9a5a5c330704993e470e51c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca933fcbe90655217e97457ae41b139d288942c5d9a5a5c330704993e470e51c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Commands/AddQueryFileDefaultsProperties.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 129330, "scanner": "repobility-threat-engine", "fingerprint": "2177bd195a1c56b7fead0a67dee8b3e17ed4bf178b459182d0b03ee16bc5f8b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2177bd195a1c56b7fead0a67dee8b3e17ed4bf178b459182d0b03ee16bc5f8b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/reveal-active-file-button/main.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 129329, "scanner": "repobility-threat-engine", "fingerprint": "51ec73a9ec8197e2b7dd62a5718eb41e69ee113200d14990f4d73e0eb4de7304", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51ec73a9ec8197e2b7dd62a5718eb41e69ee113200d14990f4d73e0eb4de7304"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "esbuild.config.mjs"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 129328, "scanner": "repobility-threat-engine", "fingerprint": "f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "aggregated_count": 8}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 129327, "scanner": "repobility-threat-engine", "fingerprint": "6cc30ac8da8aed0149c171c129fc2dd4933b63fd427857819f2d4be322da5f75", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6cc30ac8da8aed0149c171c129fc2dd4933b63fd427857819f2d4be322da5f75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/hot-reload/main.js"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 129326, "scanner": "repobility-threat-engine", "fingerprint": "89f08a9e1ab4ea573d2bee240da6a0ee1b16af87bcafa55c8ca15e2df1bcf0da", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|89f08a9e1ab4ea573d2bee240da6a0ee1b16af87bcafa55c8ca15e2df1bcf0da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/.obsidian/plugins/copy-publish-url/main.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 129325, "scanner": "repobility-threat-engine", "fingerprint": "399749feca872c87dc85bbeac42d180cb6ea53cf3dfd1180fc13d99c526d1f5d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|399749feca872c87dc85bbeac42d180cb6ea53cf3dfd1180fc13d99c526d1f5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contributing/.obsidian/plugins/copy-publish-url/main.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 129324, "scanner": "repobility-threat-engine", "fingerprint": "7e67d9e8a7a5047ba59414eaced3ea98196bb5c80a7ccd782127c98e48524eb0", "category": "security", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"match": "window.open(\"https://raw.githubusercontent.com/chrisgrieser/obsidian-theme-design-utilities/master/c", "reason": "Safe pattern 'test\\b' detected on same line", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|security|token|6|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/sample_vaults/Tasks-Demo/.obsidian/plugins/obsidian-theme-design-utilities/main.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129389, "scanner": "repobility-supply-chain", "fingerprint": "1a9915fba571cc9eb4842d4e25decf59fc1136b158f9ed899459fea663d1e669", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a9915fba571cc9eb4842d4e25decf59fc1136b158f9ed899459fea663d1e669"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129388, "scanner": "repobility-supply-chain", "fingerprint": "4c8ff22d246fd2bc51b655a7e20e8002aeba4f7c0e6f7dda78a18e2bed9a703b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c8ff22d246fd2bc51b655a7e20e8002aeba4f7c0e6f7dda78a18e2bed9a703b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129387, "scanner": "repobility-supply-chain", "fingerprint": "21a8458529073a9b2e21bda3041ec235111ac092d66e0c3b5ed5642e72d76685", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21a8458529073a9b2e21bda3041ec235111ac092d66e0c3b5ed5642e72d76685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-release-asset` pinned to mutable ref `@v1`: `uses: actions/upload-release-asset@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129386, "scanner": "repobility-supply-chain", "fingerprint": "afd003f4f050ad89c0945fcbd098bd5acacfaa0de86a086213b92076482d3620", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afd003f4f050ad89c0945fcbd098bd5acacfaa0de86a086213b92076482d3620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-release` pinned to mutable ref `@v1`: `uses: actions/create-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129385, "scanner": "repobility-supply-chain", "fingerprint": "df5f66f205f1369e503df68fb9fa71c3b9890f04e8574e169dcd33a0af5a52b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df5f66f205f1369e503df68fb9fa71c3b9890f04e8574e169dcd33a0af5a52b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129384, "scanner": "repobility-supply-chain", "fingerprint": "15ba7bee7036a154f4834914f60d111db0712f201dee1d22bb6cbf29daa5c947", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15ba7bee7036a154f4834914f60d111db0712f201dee1d22bb6cbf29daa5c947"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129383, "scanner": "repobility-supply-chain", "fingerprint": "6ab429a1680814479e3474f6dfdc6c5f724f98d4f36436d21b78b10c403bd3fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ab429a1680814479e3474f6dfdc6c5f724f98d4f36436d21b78b10c403bd3fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129382, "scanner": "repobility-supply-chain", "fingerprint": "93fcd47a439bb808ce95fb01844133ffb323d45d45ae84f242b52128a710c9eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93fcd47a439bb808ce95fb01844133ffb323d45d45ae84f242b52128a710c9eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129381, "scanner": "repobility-supply-chain", "fingerprint": "8dd86754e2856e418181f68844aa1f1663ccc380d60f9520f8443e095bf044d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8dd86754e2856e418181f68844aa1f1663ccc380d60f9520f8443e095bf044d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129380, "scanner": "repobility-supply-chain", "fingerprint": "01fd3aecdf6bbc1bddabdfaf213d6cc853c90f1667e800da511c210ae1f5cf34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01fd3aecdf6bbc1bddabdfaf213d6cc853c90f1667e800da511c210ae1f5cf34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129379, "scanner": "repobility-supply-chain", "fingerprint": "15fbd12af1173e75ac40fa88bd9aeaad8c0d9fb2ebdc74d1f63ebcecfbd49861", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15fbd12af1173e75ac40fa88bd9aeaad8c0d9fb2ebdc74d1f63ebcecfbd49861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129378, "scanner": "repobility-supply-chain", "fingerprint": "50dd857e305d8a6990eb37b27626a317bba7ee15476c3ffeb0ab7576a3f75984", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50dd857e305d8a6990eb37b27626a317bba7ee15476c3ffeb0ab7576a3f75984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-docs-markdown.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129377, "scanner": "repobility-supply-chain", "fingerprint": "909b90390c36ccea12497f380b38fd5c8fcbe77069db5186ebc94fcea4aee273", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|909b90390c36ccea12497f380b38fd5c8fcbe77069db5186ebc94fcea4aee273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-docs-markdown.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 129356, "scanner": "repobility-threat-engine", "fingerprint": "c93695d5ba97e56910fdf00c1d966d5fb264a7e9db65ce36e2752d54665dd936", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key.padEnd(maxKeyLength)}: ${summariseInstruction(value)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c93695d5ba97e56910fdf00c1d966d5fb264a7e9db65ce36e2752d54665dd936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Query/Presets/Presets.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 129354, "scanner": "repobility-threat-engine", "fingerprint": "b3065309fdd9cd8569212285828a9e7d446272bb0ff1a5a798f2820cdeaade7d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b3065309fdd9cd8569212285828a9e7d446272bb0ff1a5a798f2820cdeaade7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Scripting/KnownPlaceholderResolver.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 129353, "scanner": "repobility-threat-engine", "fingerprint": "ffaa390ee90fd87232d53c702e3cb3853e9f2845a01c81b53b9c4277904d7da0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ffaa390ee90fd87232d53c702e3cb3853e9f2845a01c81b53b9c4277904d7da0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Query/Matchers/RegexMatcher.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 129352, "scanner": "repobility-threat-engine", "fingerprint": "939f27ae1c0c6909bcf0739e8727c9906b5618b24c3d9a77d4aa24ec126e802b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(anyOfTheseChars", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|939f27ae1c0c6909bcf0739e8727c9906b5618b24c3d9a77d4aa24ec126e802b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Query/Filter/BooleanPreprocessor.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 129345, "scanner": "repobility-threat-engine", "fingerprint": "06173a93c3fb533801231cf7b81313b659c9d256d59d2de7426bb75ed61c0c13", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(part", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|06173a93c3fb533801231cf7b81313b659c9d256d59d2de7426bb75ed61c0c13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Query/Filter/BooleanPreprocessor.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 129344, "scanner": "repobility-threat-engine", "fingerprint": "41e64caab6da092a3fe93aac68e84bc0bafd730876b2bf9f52b7f5e73c2ed797", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(trimmedInstruction", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41e64caab6da092a3fe93aac68e84bc0bafd730876b2bf9f52b7f5e73c2ed797"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Query/Filter/BooleanDelimiters.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 129343, "scanner": "repobility-threat-engine", "fingerprint": "2bf30ea28d6acb6cd8c6a35a4e7986e749a69235d50004d28444c984e91168ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(basename", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2bf30ea28d6acb6cd8c6a35a4e7986e749a69235d50004d28444c984e91168ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/DateTime/DateFallback.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 129338, "scanner": "repobility-threat-engine", "fingerprint": "95eec5e077ae118b0e21eb83b48850ed001da1f6c0bec9822817c90c8e5bc70a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "instance.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95eec5e077ae118b0e21eb83b48850ed001da1f6c0bec9822817c90c8e5bc70a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/Menus/DatePicker.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 129337, "scanner": "repobility-threat-engine", "fingerprint": "47bbf0665b40ebe34cfb5ae717a8650990aa396ead6a79fedcdac40188cd98fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.values.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|47bbf0665b40ebe34cfb5ae717a8650990aa396ead6a79fedcdac40188cd98fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Config/InMemoryLocalStorageProvider.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 129336, "scanner": "repobility-threat-engine", "fingerprint": "6e3fa3dda80773f9171e8119ee365a96a09c710f266d6dd39cf60bdf84bf252f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.storage.save(ENABLE_JS_IN_TASKS_QUERIES_KEY, value);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6e3fa3dda80773f9171e8119ee365a96a09c710f266d6dd39cf60bdf84bf252f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Config/EnableJsInTasksQueries.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 129322, "scanner": "repobility-threat-engine", "fingerprint": "226b9d5d41eb9ab5f768a6a7c2e986e1512350c0158c0821b2d3355f1aea1855", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|226b9d5d41eb9ab5f768a6a7c2e986e1512350c0158c0821b2d3355f1aea1855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/.obsidian/plugins/copy-publish-url/main.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 129321, "scanner": "repobility-threat-engine", "fingerprint": "7d4ed458ee158f6542bbba655ae60a10cc26a20e73c6b863c165c1877acb2ff4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7d4ed458ee158f6542bbba655ae60a10cc26a20e73c6b863c165c1877acb2ff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contributing/.obsidian/plugins/copy-publish-url/main.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 129358, "scanner": "repobility-threat-engine", "fingerprint": "a16df3f035cc3d1e9f629ef8dd041d315b2cd4717d895e70a72184289e91103f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a16df3f035cc3d1e9f629ef8dd041d315b2cd4717d895e70a72184289e91103f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Scripting/Expression.ts"}, "region": {"startLine": 29}}}]}]}]}