{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `more-itertools` has no version pin: Unpinned pip requirement means every fresh install may", "shortDescription": {"text": "[MINED124] requirements.txt: `more-itertools` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducibl"}, "fullDescription": {"text": "Replace `more-itertools` with `more-itertools==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 513 lines (recommend <300)", "shortDescription": {"text": "Average file size is 513 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED080", "name": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace.", "shortDescription": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED011", "name": "[MINED011] Scala Get On Option (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED011] Scala Get On Option (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.", "shortDescription": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `examples/whisper.android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/", "shortDescription": {"text": "[MINED134] Binary file `examples/whisper.android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/whisper.android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (59,203 bytes) committed to a repo that otherwise ha"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workfl", "shortDescription": {"text": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise ("}, "fullDescription": {"text": "Replace with: `uses: actions/deploy-pages@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `CustomHTTPRequestHandl", "shortDescription": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `CustomHTTPRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises Attr"}, "fullDescription": {"text": "Initialize `self.send_header = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `convert_silero_vad` has cognitive complexity 36 (SonarSource scale). Cogn", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `convert_silero_vad` has cognitive complexity 36 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recu"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 36."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED017", "name": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.", "shortDescription": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.", "shortDescription": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/956"}, "properties": {"repository": "ggml-org/whisper.cpp", "repoUrl": "https://github.com/ggml-org/whisper.cpp", "branch": "master"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `more-itertools` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89809, "scanner": "repobility-supply-chain", "fingerprint": "bc1358f3ed4d342c1c9ff3c05212f062d4da0af9ceb54977c36877aa998bde4c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc1358f3ed4d342c1c9ff3c05212f062d4da0af9ceb54977c36877aa998bde4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/earnings21/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `regex` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89808, "scanner": "repobility-supply-chain", "fingerprint": "a7eb9e0eaaec46d135ef75a1832ab303da50ace7a10e8f49932413c3d35672d9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7eb9e0eaaec46d135ef75a1832ab303da50ace7a10e8f49932413c3d35672d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/earnings21/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `jiwer` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89807, "scanner": "repobility-supply-chain", "fingerprint": "d344b86e2ee5d5157d50825be27026851f7cc962ec6d17b39275a885a6fd406c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d344b86e2ee5d5157d50825be27026851f7cc962ec6d17b39275a885a6fd406c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/earnings21/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `more-itertools` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89806, "scanner": "repobility-supply-chain", "fingerprint": "c292620ca9960eb65167d8f95ec18704c7ad0f6dda22aaacac0e1b99abfeafd8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c292620ca9960eb65167d8f95ec18704c7ad0f6dda22aaacac0e1b99abfeafd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/librispeech/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `regex` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89805, "scanner": "repobility-supply-chain", "fingerprint": "2f2d89718d3eda6720b2fd9ac5b2b95a9b57c7374ed63f8a17945311922505f0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f2d89718d3eda6720b2fd9ac5b2b95a9b57c7374ed63f8a17945311922505f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/librispeech/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `jiwer` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89804, "scanner": "repobility-supply-chain", "fingerprint": "ef8e64a35988663292c16406fc0b9909359001f44bf1752391045653c9b21480", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef8e64a35988663292c16406fc0b9909359001f44bf1752391045653c9b21480"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/librispeech/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `ane_transformers` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89803, "scanner": "repobility-supply-chain", "fingerprint": "7f37187c3ffb336981dad2fe9cd977c43345e805d93bb3f37b3c8231385b5215", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7f37187c3ffb336981dad2fe9cd977c43345e805d93bb3f37b3c8231385b5215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/requirements-coreml.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `openai-whisper` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89802, "scanner": "repobility-supply-chain", "fingerprint": "cec5360ce3605ab21a0429963342f9bb523141f251882dd2bb94d50c0e311941", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cec5360ce3605ab21a0429963342f9bb523141f251882dd2bb94d50c0e311941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/requirements-coreml.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `coremltools` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89801, "scanner": "repobility-supply-chain", "fingerprint": "d1ef176777fb3f848b0ab96b94eb7316a21585817f5a23d9a13331cca0247b50", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1ef176777fb3f848b0ab96b94eb7316a21585817f5a23d9a13331cca0247b50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/requirements-coreml.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `torch` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89800, "scanner": "repobility-supply-chain", "fingerprint": "4db8e0aadbc09b23baa9ae1f1baaad3d8c6620c4db2d5bfafc7e0503c27720b4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4db8e0aadbc09b23baa9ae1f1baaad3d8c6620c4db2d5bfafc7e0503c27720b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/requirements-coreml.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `openai-whisper` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 89799, "scanner": "repobility-supply-chain", "fingerprint": "699259df2c5ca5125d86ddae87d6dcdc2b4a888f5fee5de71d068495ce4ab057", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|699259df2c5ca5125d86ddae87d6dcdc2b4a888f5fee5de71d068495ce4ab057"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/requirements-openvino.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 89792, "scanner": "repobility-ast-engine", "fingerprint": "fd0ed25ac0c7e379eed4a628c20a471dd8e54b6373898d354946ea7724a3d685", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd0ed25ac0c7e379eed4a628c20a471dd8e54b6373898d354946ea7724a3d685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/test_whisper_processor.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 89791, "scanner": "repobility-ast-engine", "fingerprint": "850f5cd8bc76f0b9641ac21c9b1ef6f6681d6a01ba457b79edb67964874b2db6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|850f5cd8bc76f0b9641ac21c9b1ef6f6681d6a01ba457b79edb67964874b2db6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/whisper_processor.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 89790, "scanner": "repobility-ast-engine", "fingerprint": "b8b5c8e0e466c020db9c15519e3d88c2c5c0b06219850b0c7b254885cafe0132", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8b5c8e0e466c020db9c15519e3d88c2c5c0b06219850b0c7b254885cafe0132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-pt-to-ggml.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "SEC011", "level": "warning", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 89752, "scanner": "repobility-threat-engine", "fingerprint": "ff7b527ac738a8b1b9c5f151fe5bec8c711a56d75e146748b5f06fb7aab48c51", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "torch.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|205|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-pt-to-ggml.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 89714, "scanner": "repobility-threat-engine", "fingerprint": "d1e0ced2480b06f9f7172b21ecb071e281518f1d6fe55ee3b5b7c37d02b078ad", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.Popen(\n                cmd, shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|scripts/bench.py|153|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 89713, "scanner": "repobility-threat-engine", "fingerprint": "0c235ea058a979b96867eb2d703fe1c2a75bb7c9d5e1d29a87d978028795a251", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.Popen(full_command, shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|27|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/whisper_processor.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 89697, "scanner": "repobility-threat-engine", "fingerprint": "eec55b91b7ffee7b5d6571ea45dbeba2ee12b12dd24388ec860fce68d56e0aad", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(w, n)\n\t\tfmt.Fprintln(w, srtTimestamp(segment.Start)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eec55b91b7ffee7b5d6571ea45dbeba2ee12b12dd24388ec860fce68d56e0aad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bindings/go/examples/go-whisper/process.go"}, "region": {"startLine": 97}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 513 lines (recommend <300)"}, "properties": {"repobilityId": 89689, "scanner": "repobility-core", "fingerprint": "b0f34fb4b38e8cd702afb589810c522375c94df1d04b43747c1ae0917b70f6ad", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|b0f34fb4b38e8cd702afb589810c522375c94df1d04b43747c1ae0917b70f6ad"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89764, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b1e4818f2626ffb7e6253c3dacfc8e6a4ce0444997adc9972254a2da583be52b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/earnings21/normalizers/english.py", "duplicate_line": 3, "correlation_key": "fp|b1e4818f2626ffb7e6253c3dacfc8e6a4ce0444997adc9972254a2da583be52b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/librispeech/normalizers/english.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89763, "scanner": "repobility-ai-code-hygiene", "fingerprint": "734f34a0bbd58c160271d620d5608097c54784c720a4da3d3e1b677f6fe66127", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/earnings21/normalizers/basic.py", "duplicate_line": 1, "correlation_key": "fp|734f34a0bbd58c160271d620d5608097c54784c720a4da3d3e1b677f6fe66127"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/librispeech/normalizers/basic.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89762, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a8bbdd50f72d5e003b84e7b48f4e863d88a88de9722677c0d7f89f3b0d35597", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "models/convert-h5-to-ggml.py", "duplicate_line": 40, "correlation_key": "fp|8a8bbdd50f72d5e003b84e7b48f4e863d88a88de9722677c0d7f89f3b0d35597"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-pt-to-ggml.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89761, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7082467f9da51a3ce9ff53cb1fdd5643a6730b5b5c750c5875e39edaa8a785d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ggml/src/ggml-blas/ggml-blas.cpp", "duplicate_line": 143, "correlation_key": "fp|7082467f9da51a3ce9ff53cb1fdd5643a6730b5b5c750c5875e39edaa8a785d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-zendnn/ggml-zendnn.cpp"}, "region": {"startLine": 307}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89760, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2fe992a3e6fe4707bec70bbf3cc1341d96fc2e1b33745bc0f593d2372820f683", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ggml/src/ggml-sycl/fattn-common.hpp", "duplicate_line": 615, "correlation_key": "fp|2fe992a3e6fe4707bec70bbf3cc1341d96fc2e1b33745bc0f593d2372820f683"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-sycl/fattn-vec.hpp"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89759, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2485d422bb37e480ab5ade7cf6a8c99f0295f62103ec4b30c9f61b18ce030a1f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ggml/src/ggml-openvino/openvino/op/glu_geglu.cpp", "duplicate_line": 6, "correlation_key": "fp|2485d422bb37e480ab5ade7cf6a8c99f0295f62103ec4b30c9f61b18ce030a1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-openvino/openvino/op/glu_swiglu.cpp"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89758, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e96b489c33209a23741b6073d11e5f57a6882554478464ae0617fbd85f4a8997", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ggml/src/ggml-hexagon/htp/cpy-ops.c", "duplicate_line": 11, "correlation_key": "fp|e96b489c33209a23741b6073d11e5f57a6882554478464ae0617fbd85f4a8997"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-hexagon/htp/sum-rows-ops.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89757, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ea288b333df2fc9a19430e5fd64e2e52ef96c6635ca34cf62a78dbdc1bfec89", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ggml/src/ggml-hexagon/htp/get-rows-ops.c", "duplicate_line": 25, "correlation_key": "fp|4ea288b333df2fc9a19430e5fd64e2e52ef96c6635ca34cf62a78dbdc1bfec89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-hexagon/htp/set-rows-ops.c"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89756, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0605c5840bb855f92b5cf5ac6949ecb6a033dfd0be316ea4d203e7c9232ce84a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ggml/src/ggml-hexagon/htp/cumsum-ops.c", "duplicate_line": 4, "correlation_key": "fp|0605c5840bb855f92b5cf5ac6949ecb6a033dfd0be316ea4d203e7c9232ce84a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-hexagon/htp/rope-ops.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89755, "scanner": "repobility-ai-code-hygiene", "fingerprint": "044d580109112d6f7742df61699554190f1d34c6f95a88c6609dc15b30380351", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ggml/src/ggml-hexagon/htp/hvx-arith.h", "duplicate_line": 63, "correlation_key": "fp|044d580109112d6f7742df61699554190f1d34c6f95a88c6609dc15b30380351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-hexagon/htp/hvx-div.h"}, "region": {"startLine": 186}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 89754, "scanner": "repobility-ai-code-hygiene", "fingerprint": "422a344994ff2694c635ae91e7838949a269901e1270c1eadb2fc2a458cf93b8", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|422a344994ff2694c635ae91e7838949a269901e1270c1eadb2fc2a458cf93b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-hexagon/htp/hvx-copy.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 89711, "scanner": "repobility-threat-engine", "fingerprint": "bafd3027413a5d74d3bd64eda561139914e1da57ab21f66d47318826b23a9c26", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Selecting \" + numThreads + \" threads\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bafd3027413a5d74d3bd64eda561139914e1da57ab21f66d47318826b23a9c26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android.java/app/src/main/java/com/whispercpp/java/whisper/WhisperContext.java"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 89710, "scanner": "repobility-threat-engine", "fingerprint": "7e58c7aa333a192e4732bb3e0543a26dff457af83e7443f45d99761670353f67", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/sys/devices/system/cpu/cpu\" + cpuIndex + \"/cpufreq/cpuinfo_max_freq\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e58c7aa333a192e4732bb3e0543a26dff457af83e7443f45d99761670353f67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android.java/app/src/main/java/com/whispercpp/java/whisper/CpuInfo.java"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 89709, "scanner": "repobility-threat-engine", "fingerprint": "2c5fb3fe1bb50604ce4748655bd7409e8c5bdff4ce92972adc0f48d2a88c9c6b", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'You are about to download ' + size_mb + ' MB of data.\\n'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c5fb3fe1bb50604ce4748655bd7409e8c5bdff4ce92972adc0f48d2a88c9c6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/helpers.js"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 89749, "scanner": "repobility-threat-engine", "fingerprint": "238723dcc120efcaf1811f61da0b696e3ad0bbb54ce5c501615f0ca3af57ab52", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|10|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-whisper-to-openvino.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 89748, "scanner": "repobility-threat-engine", "fingerprint": "ae83aa27c6ab7a80af044148b40031176d471cdb399d59fa9ed8de404206ece4", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|99|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-h5-to-coreml.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 89745, "scanner": "repobility-threat-engine", "fingerprint": "734883c95233f7b4c388ffb761578b89167e95d2df31d27229b5bc57759baa0f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|734883c95233f7b4c388ffb761578b89167e95d2df31d27229b5bc57759baa0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-sycl/sycl_hw.cpp"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 89744, "scanner": "repobility-threat-engine", "fingerprint": "e485e4bf795f942a82e1b18db0ffc5752496d9cdd7f32848fd917c7a4da37f30", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e485e4bf795f942a82e1b18db0ffc5752496d9cdd7f32848fd917c7a4da37f30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-pt-to-ggml.py"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 89743, "scanner": "repobility-threat-engine", "fingerprint": "7fc0387fb6abb84e0381272bb581a56495ba83e277fbe05a48a69b17330586c0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7fc0387fb6abb84e0381272bb581a56495ba83e277fbe05a48a69b17330586c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-h5-to-ggml.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 89742, "scanner": "repobility-threat-engine", "fingerprint": "1f994919d105498c13b63b65e593ecc42b16431da6b0bb21bf057924f759fd75", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f994919d105498c13b63b65e593ecc42b16431da6b0bb21bf057924f759fd75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-opencl/kernels/embed_kernel.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED011", "level": "none", "message": {"text": "[MINED011] Scala Get On Option (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 89739, "scanner": "repobility-threat-engine", "fingerprint": "166d25e5bcd7592f3a15b2f0b07c187e0a72ee652817b1a47aa3634cf46f864f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|166d25e5bcd7592f3a15b2f0b07c187e0a72ee652817b1a47aa3634cf46f864f", "aggregated_count": 3}}}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 89735, "scanner": "repobility-threat-engine", "fingerprint": "47d28b3a0816fefb46cfb8a47814d3aab819b098037b70af973575d36c71c511", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|47d28b3a0816fefb46cfb8a47814d3aab819b098037b70af973575d36c71c511"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.objc/whisper.objc/ViewController.m"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 89734, "scanner": "repobility-threat-engine", "fingerprint": "1ca86d481bff35bc0f498a45be85b67d725e8a35dad311d0c02d629e3c993698", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ca86d481bff35bc0f498a45be85b67d725e8a35dad311d0c02d629e3c993698"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.objc/whisper.objc/ViewController.m"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 89733, "scanner": "repobility-threat-engine", "fingerprint": "171cdc751d140ad6924f8f0686317502a6dba81a79145b52373a42106c25b390", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|171cdc751d140ad6924f8f0686317502a6dba81a79145b52373a42106c25b390"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-cuda/mean.cu"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 89732, "scanner": "repobility-threat-engine", "fingerprint": "0ee4fa9c5d858b4f976418c327fa4699cc92f62ce4f25d49932205663a459bd7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ee4fa9c5d858b4f976418c327fa4699cc92f62ce4f25d49932205663a459bd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-cuda/conv-transpose-1d.cu"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 89731, "scanner": "repobility-threat-engine", "fingerprint": "cf2c2ef8a994b4a1effe9d7ad1a51083f674ed2b61bb04ef1202580f68e4b540", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf2c2ef8a994b4a1effe9d7ad1a51083f674ed2b61bb04ef1202580f68e4b540"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.objc/whisper.objc/ViewController.m"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 89727, "scanner": "repobility-threat-engine", "fingerprint": "21aac7e3117956e150ccf0d829023636b5067d099a53ac9c6df88a64f74387de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21aac7e3117956e150ccf0d829023636b5067d099a53ac9c6df88a64f74387de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android.java/app/src/main/java/com/whispercpp/java/whisper/CpuInfo.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 89726, "scanner": "repobility-threat-engine", "fingerprint": "40e2d67d3b7008ee158c11855a3f5daf4fdd696bfd8f378ac798e81c31237678", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|40e2d67d3b7008ee158c11855a3f5daf4fdd696bfd8f378ac798e81c31237678"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android.java/app/src/main/java/com/litongjava/whisper/android/java/utils/AssetUtils.java"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 89725, "scanner": "repobility-threat-engine", "fingerprint": "9efdc9432f3ec4b5fc89b14d977724ef6a5e9df5f51036ae0e29202b784d55ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9efdc9432f3ec4b5fc89b14d977724ef6a5e9df5f51036ae0e29202b784d55ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android.java/app/src/main/java/com/litongjava/whisper/android/java/services/WhisperService.java"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 89724, "scanner": "repobility-threat-engine", "fingerprint": "8d22d234ff6e522558f501e2b961809b56638e20faacee3f5f64166e5b05aa03", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8d22d234ff6e522558f501e2b961809b56638e20faacee3f5f64166e5b05aa03", "aggregated_count": 2}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 89723, "scanner": "repobility-threat-engine", "fingerprint": "037b14c69235a9a39b1b6633ca6e0385688e38277037b27e175d76d235562942", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|037b14c69235a9a39b1b6633ca6e0385688e38277037b27e175d76d235562942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/talk-llama/llama-memory-hybrid.cpp"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 89722, "scanner": "repobility-threat-engine", "fingerprint": "bef33d09c8fa2e512a3e1e0bf0bde5d9fd274fe8591f97a989b8f76146491213", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bef33d09c8fa2e512a3e1e0bf0bde5d9fd274fe8591f97a989b8f76146491213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/talk-llama/llama-memory-hybrid-iswa.cpp"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 89721, "scanner": "repobility-threat-engine", "fingerprint": "b0813ad895b0760b76e4f0a130960aeb6fe12120a07ae4fdbae9ccc9808f83b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0813ad895b0760b76e4f0a130960aeb6fe12120a07ae4fdbae9ccc9808f83b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/talk-llama/llama-kv-cache-iswa.cpp"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 89712, "scanner": "repobility-threat-engine", "fingerprint": "c33d4dbb5dd855b803d0d23f5d3b8408f1d165d852433d384b1e5f6d688cd1c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c33d4dbb5dd855b803d0d23f5d3b8408f1d165d852433d384b1e5f6d688cd1c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/livestream.sh"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 89707, "scanner": "repobility-threat-engine", "fingerprint": "42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 89703, "scanner": "repobility-threat-engine", "fingerprint": "f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 89702, "scanner": "repobility-threat-engine", "fingerprint": "46cbb7d5b6e84392e93f8ab3ab1bf6e4cd953fd2df25d0db796aa122df040211", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46cbb7d5b6e84392e93f8ab3ab1bf6e4cd953fd2df25d0db796aa122df040211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/addon.node/vad-example.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 89701, "scanner": "repobility-threat-engine", "fingerprint": "3a0f439d57075a3d823a3d628e3d6739927eaa8ee95c8436a7ec6966d9ae1a80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a0f439d57075a3d823a3d628e3d6739927eaa8ee95c8436a7ec6966d9ae1a80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/addon.node/index.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 89700, "scanner": "repobility-threat-engine", "fingerprint": "bb4a17babb1a28dee4560886e5b974ecf691a6f6313ed9b6af14d85e9284b443", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb4a17babb1a28dee4560886e5b974ecf691a6f6313ed9b6af14d85e9284b443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bindings/javascript/libwhisper.worker.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 89699, "scanner": "repobility-threat-engine", "fingerprint": "1693b8e052c4aff11868556c3c5b9a45e30659013c2f777da084ee28cd4fb0d3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1693b8e052c4aff11868556c3c5b9a45e30659013c2f777da084ee28cd4fb0d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-pt-to-ggml.py"}, "region": {"startLine": 238}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 89698, "scanner": "repobility-threat-engine", "fingerprint": "f88c3fe72d5ddfef7f0c120f601e9d25bb1783266c3a8e94d85a537751c88538", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f88c3fe72d5ddfef7f0c120f601e9d25bb1783266c3a8e94d85a537751c88538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bindings/go/examples/go-whisper/process.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 89696, "scanner": "repobility-threat-engine", "fingerprint": "b45eeb07d492221c6c8af6e22cf39de840108a5ceff6ac8b2f069b1cd82c9e11", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "print(\"Error: failed to find either tiktoken or hf_transformers tokenizer file:\", tokenizer)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|23|print error: failed to find either tiktoken or hf_transformers tokenizer file: tokenizer"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-pt-to-ggml.py"}, "region": {"startLine": 238}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 89694, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 89690, "scanner": "repobility-threat-engine", "fingerprint": "9e85d915312e50ea922707fc7d9530dc86b1c530465c7910fc6b0a014b2763b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e85d915312e50ea922707fc7d9530dc86b1c530465c7910fc6b0a014b2763b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bindings/go/examples/go-model-download/context.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `examples/whisper.android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/whisper.android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (59,203 bytes) committed to a repo that otherwise has 843 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 89844, "scanner": "repobility-supply-chain", "fingerprint": "773e70a59696cd0a31906c98b2dc4e562f5b76de506330d3a396e3f29539bf23", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|773e70a59696cd0a31906c98b2dc4e562f5b76de506330d3a396e3f29539bf23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `examples/whisper.android.java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/whisper.android.java/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (54,329 bytes) committed to a repo that otherwise has 843 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 89843, "scanner": "repobility-supply-chain", "fingerprint": "96f9b3111df5a67c6d747a34fef2ebb35cdf559364cabedfc7703f10899581c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96f9b3111df5a67c6d747a34fef2ebb35cdf559364cabedfc7703f10899581c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android.java/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `bindings/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `bindings/java/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (61,608 bytes) committed to a repo that otherwise has 843 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 89842, "scanner": "repobility-supply-chain", "fingerprint": "8420f9477298f5013e5e0a8971b9c8883861624c0961c8867521af30b998849f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8420f9477298f5013e5e0a8971b9c8883861624c0961c8867521af30b998849f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bindings/java/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89834, "scanner": "repobility-supply-chain", "fingerprint": "4a1554cd256a5d58e80da7324abb38624ecc029e66db3410f9671e1a9da14407", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a1554cd256a5d58e80da7324abb38624ecc029e66db3410f9671e1a9da14407"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-examples-wasm.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-pages-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-pages-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89833, "scanner": "repobility-supply-chain", "fingerprint": "38d4cec8c1cae606d2f10c1135831ad7d66655871f71e969924ee37f98575b83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38d4cec8c1cae606d2f10c1135831ad7d66655871f71e969924ee37f98575b83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-examples-wasm.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/configure-pages` pinned to mutable ref `@v5`: `uses: actions/configure-pages@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89832, "scanner": "repobility-supply-chain", "fingerprint": "2f3833f6a7a0f9bd4418b8bfcfffd1c805bcfc9a111adb9d325b8f9dd414d74f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f3833f6a7a0f9bd4418b8bfcfffd1c805bcfc9a111adb9d325b8f9dd414d74f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-examples-wasm.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89831, "scanner": "repobility-supply-chain", "fingerprint": "3e3d623b4a449fc8d268a295eed7234195fa3c1d2b3eafecfcfe29e2d5ab0e3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e3d623b4a449fc8d268a295eed7234195fa3c1d2b3eafecfcfe29e2d5ab0e3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-examples-wasm.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89830, "scanner": "repobility-supply-chain", "fingerprint": "2fbb7d92fd36004daf01cb0cc252f8d6b619fa96344789c1b219008c759fa363", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2fbb7d92fd36004daf01cb0cc252f8d6b619fa96344789c1b219008c759fa363"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-vad.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ggml-org/ccache-action` pinned to mutable ref `@v1.2.21`: `uses: ggml-org/ccache-action@v1.2.21` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89829, "scanner": "repobility-supply-chain", "fingerprint": "6f772ab4ae269a772d9d9bfae4187263827255fefff039b83daf30492bb516d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6f772ab4ae269a772d9d9bfae4187263827255fefff039b83daf30492bb516d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-gcc.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89828, "scanner": "repobility-supply-chain", "fingerprint": "abe61c8b620041f8cac1c6942be54b1e093915c994e3f222cd786b3e0d136d64", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|abe61c8b620041f8cac1c6942be54b1e093915c994e3f222cd786b3e0d136d64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-gcc.yml"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ggml-org/ccache-action` pinned to mutable ref `@v1.2.21`: `uses: ggml-org/ccache-action@v1.2.21` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89827, "scanner": "repobility-supply-chain", "fingerprint": "f96c0cdc54bf09fde612d5513977825be20bea50817c6b863faf456bd132f9ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f96c0cdc54bf09fde612d5513977825be20bea50817c6b863faf456bd132f9ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-gcc.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89826, "scanner": "repobility-supply-chain", "fingerprint": "46c4716e4d860216b8eec50313f879d9b03d2f0edc4b7738bc4d9bc288f0e3b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46c4716e4d860216b8eec50313f879d9b03d2f0edc4b7738bc4d9bc288f0e3b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-gcc.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ggml-org/ccache-action` pinned to mutable ref `@v1.2.21`: `uses: ggml-org/ccache-action@v1.2.21` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89825, "scanner": "repobility-supply-chain", "fingerprint": "f2038bde98db6527f3649a13ad0b1e3600512fefaa7c07d6c114cba30d416fe7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2038bde98db6527f3649a13ad0b1e3600512fefaa7c07d6c114cba30d416fe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-gcc.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89824, "scanner": "repobility-supply-chain", "fingerprint": "6dbba68d7012068a40b4e8310b2c2724af5c96247cee39ba9ff8a3a8b90ad46a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6dbba68d7012068a40b4e8310b2c2724af5c96247cee39ba9ff8a3a8b90ad46a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-gcc.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89823, "scanner": "repobility-supply-chain", "fingerprint": "7b83e9b8bcb25f40ea9bf7007b81a05c4739b3d4a3101676f61f7277046a3d17", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b83e9b8bcb25f40ea9bf7007b81a05c4739b3d4a3101676f61f7277046a3d17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-coreml.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89822, "scanner": "repobility-supply-chain", "fingerprint": "6e189624105936e13e27f8dfdf1075a5d0048eee83d7fe2bbf29d9226799fc4b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e189624105936e13e27f8dfdf1075a5d0048eee83d7fe2bbf29d9226799fc4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-self-hosted.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89821, "scanner": "repobility-supply-chain", "fingerprint": "ca287349e96b46758376904b9a29edc26e2202f092d5771d3f9aa04339e2a7f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca287349e96b46758376904b9a29edc26e2202f092d5771d3f9aa04339e2a7f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-self-hosted.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89820, "scanner": "repobility-supply-chain", "fingerprint": "bb9d2aa300d816a93c58d28c71a11813c6c02dc6b22b4abf4cbdb1e30d947e54", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb9d2aa300d816a93c58d28c71a11813c6c02dc6b22b4abf4cbdb1e30d947e54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-self-hosted.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89819, "scanner": "repobility-supply-chain", "fingerprint": "0d7444946662c18ef97ede6b2ff1562fe96fe489a79480db41f045c0a0967d45", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d7444946662c18ef97ede6b2ff1562fe96fe489a79480db41f045c0a0967d45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-self-hosted.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89818, "scanner": "repobility-supply-chain", "fingerprint": "d75b995938a23f5dce49420202f62609e4ef38f49ff7d92aee53be174bf7381c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d75b995938a23f5dce49420202f62609e4ef38f49ff7d92aee53be174bf7381c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-self-hosted.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89817, "scanner": "repobility-supply-chain", "fingerprint": "3de84e1b373e6abd7cae5b2ce262db9fa405745358e41cd0ff9ebdab78b4fa09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3de84e1b373e6abd7cae5b2ce262db9fa405745358e41cd0ff9ebdab78b4fa09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bindings-go.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89816, "scanner": "repobility-supply-chain", "fingerprint": "e6e3e2b61c21ab702b6903be35bdc751f724b2d3c78e7c92a8824d65e5c13d69", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6e3e2b61c21ab702b6903be35bdc751f724b2d3c78e7c92a8824d65e5c13d69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bindings-go.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89815, "scanner": "repobility-supply-chain", "fingerprint": "11e82b6b6366d8491c0d1b333452755f72fbb8094f90149b2704ff718d999dcb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11e82b6b6366d8491c0d1b333452755f72fbb8094f90149b2704ff718d999dcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-android.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89814, "scanner": "repobility-supply-chain", "fingerprint": "e639ce97ab3ff07d808caab13185890833675483b7a7bef0f3826fa823615b4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e639ce97ab3ff07d808caab13185890833675483b7a7bef0f3826fa823615b4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-android.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89813, "scanner": "repobility-supply-chain", "fingerprint": "e065188c54a96aa891637965f5de940386a70271bfc3b46819cff4041c9096cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e065188c54a96aa891637965f5de940386a70271bfc3b46819cff4041c9096cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-android.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89812, "scanner": "repobility-supply-chain", "fingerprint": "892f8771d466a7f4dc54638f0defce008f378a5f9709df8b2f064284016ed8a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|892f8771d466a7f4dc54638f0defce008f378a5f9709df8b2f064284016ed8a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-android.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ggml-org/ccache-action` pinned to mutable ref `@v1.2.21`: `uses: ggml-org/ccache-action@v1.2.21` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89811, "scanner": "repobility-supply-chain", "fingerprint": "e7ca12d7f777888e212a18d9de9ce146bd9cbfdc365feb4f75b512397ff66cba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7ca12d7f777888e212a18d9de9ce146bd9cbfdc365feb4f75b512397ff66cba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-macos.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 89810, "scanner": "repobility-supply-chain", "fingerprint": "b4e5bccdc9a7676bdc2d56f8f3cf689bd166c3e61f916b4a5a28054e4feeab9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4e5bccdc9a7676bdc2d56f8f3cf689bd166c3e61f916b4a5a28054e4feeab9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-macos.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 89798, "scanner": "repobility-supply-chain", "fingerprint": "97503b4bd38b83503d8be3c1284080350082299a6fdd3a593f2ef470b49c143b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|97503b4bd38b83503d8be3c1284080350082299a6fdd3a593f2ef470b49c143b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devops/main-vulkan.Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 89797, "scanner": "repobility-supply-chain", "fingerprint": "4471db7476c5fa18ffe60bd9d2a185f628ab0c9335727e096a7cb2e6db88ecb5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4471db7476c5fa18ffe60bd9d2a185f628ab0c9335727e096a7cb2e6db88ecb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devops/main-vulkan.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `intel/deep-learning-essentials (no tag)` not pinned by digest: `FROM intel/deep-learning-essentials (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 89796, "scanner": "repobility-supply-chain", "fingerprint": "8c6dced575c5a7580dc5dccdf779a6f2fcc25321f81ba6b1e927b4af3ee61218", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c6dced575c5a7580dc5dccdf779a6f2fcc25321f81ba6b1e927b4af3ee61218"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devops/main-intel.Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `intel/deep-learning-essentials (no tag)` not pinned by digest: `FROM intel/deep-learning-essentials (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 89795, "scanner": "repobility-supply-chain", "fingerprint": "2babb4d0613f913d183b79aa44651220ca40523d09d65fac84c15b4c456fa22c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2babb4d0613f913d183b79aa44651220ca40523d09d65fac84c15b4c456fa22c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devops/main-intel.Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 89794, "scanner": "repobility-supply-chain", "fingerprint": "f5915436d288ccafc3e66ebb99264231ab15e21152a790d3a5f5bde5068a687f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5915436d288ccafc3e66ebb99264231ab15e21152a790d3a5f5bde5068a687f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devops/main.Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 89793, "scanner": "repobility-supply-chain", "fingerprint": "e42a36e88f4c8c857398cde4a84088762fdafde76c07e4b446aa93321a1464d4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e42a36e88f4c8c857398cde4a84088762fdafde76c07e4b446aa93321a1464d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devops/main.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `CustomHTTPRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89789, "scanner": "repobility-ast-engine", "fingerprint": "ec4d60dba3362817c15bfe892e835d33ae6ebc0921fbf3024c0f4ca9b314bf88", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec4d60dba3362817c15bfe892e835d33ae6ebc0921fbf3024c0f4ca9b314bf88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `CustomHTTPRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89788, "scanner": "repobility-ast-engine", "fingerprint": "e1588e8b4decfbd4bde0a9674951980181af1ff3b8e0760cdc7739134046df99", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e1588e8b4decfbd4bde0a9674951980181af1ff3b8e0760cdc7739134046df99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `CustomHTTPRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89787, "scanner": "repobility-ast-engine", "fingerprint": "e68d1044d0cbf36df3832426b5e79bb4736c251b88436e1ecfae508f5df09750", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e68d1044d0cbf36df3832426b5e79bb4736c251b88436e1ecfae508f5df09750"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89786, "scanner": "repobility-ast-engine", "fingerprint": "eb4f295f1f920cd3fbcadaabfd80ecbb369affbda9b4a2452d4731cde211ec9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb4f295f1f920cd3fbcadaabfd80ecbb369affbda9b4a2452d4731cde211ec9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wfile` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89785, "scanner": "repobility-ast-engine", "fingerprint": "bafd20d94654916c81e9b45d143056e499c561030bf22028887eb5bced548477", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bafd20d94654916c81e9b45d143056e499c561030bf22028887eb5bced548477"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89784, "scanner": "repobility-ast-engine", "fingerprint": "c45f125be1401165b2075d49790a49cb1bba3f490ec6b0f1b52921d667a87a45", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c45f125be1401165b2075d49790a49cb1bba3f490ec6b0f1b52921d667a87a45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89783, "scanner": "repobility-ast-engine", "fingerprint": "1fbaa4dea4e64cad15c897efeec8a5d9f252577d3e420e4a3ae63b166adf6ab9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1fbaa4dea4e64cad15c897efeec8a5d9f252577d3e420e4a3ae63b166adf6ab9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89782, "scanner": "repobility-ast-engine", "fingerprint": "f9555f46bf2b03c539ee8506649fdd7846587ad30e2b0156588182f95e5748d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f9555f46bf2b03c539ee8506649fdd7846587ad30e2b0156588182f95e5748d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89781, "scanner": "repobility-ast-engine", "fingerprint": "c71f3e2858c575547e2000efc9a7ec7e1aca902b06608b97020ac961977f7cfb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c71f3e2858c575547e2000efc9a7ec7e1aca902b06608b97020ac961977f7cfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89780, "scanner": "repobility-ast-engine", "fingerprint": "872ab081abe528dc411e0a915bc2bdda7832b2774201e85b340d51a62f6c4ab6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|872ab081abe528dc411e0a915bc2bdda7832b2774201e85b340d51a62f6c4ab6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89779, "scanner": "repobility-ast-engine", "fingerprint": "37e4c3d4b54d86c49b07ed03f122dfff044d3a7e0073e9ffeeaca74c468bcd09", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|37e4c3d4b54d86c49b07ed03f122dfff044d3a7e0073e9ffeeaca74c468bcd09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89778, "scanner": "repobility-ast-engine", "fingerprint": "7808dfd22a131beba88b13af51eeee57f2c53d1ea0388c7631711ec5c2e54daf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7808dfd22a131beba88b13af51eeee57f2c53d1ea0388c7631711ec5c2e54daf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89777, "scanner": "repobility-ast-engine", "fingerprint": "40261e497f035767d1637dd96a927468aac778e919ea01df2e279a32409e16a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|40261e497f035767d1637dd96a927468aac778e919ea01df2e279a32409e16a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89776, "scanner": "repobility-ast-engine", "fingerprint": "aff5d9b5b51ffe8a4a39d55e76584dd9e5d4a577caaee0369d92b83e76115ca0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aff5d9b5b51ffe8a4a39d55e76584dd9e5d4a577caaee0369d92b83e76115ca0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89775, "scanner": "repobility-ast-engine", "fingerprint": "44a2002f8039036b80740ac4303ec5b7d0c6bfc5f1a00fdc4b35354932112961", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44a2002f8039036b80740ac4303ec5b7d0c6bfc5f1a00fdc4b35354932112961"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89774, "scanner": "repobility-ast-engine", "fingerprint": "5778f54c5a5ffd594748ecf2d240ddc541159de2fc35ea4a858ea1b031bb7706", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5778f54c5a5ffd594748ecf2d240ddc541159de2fc35ea4a858ea1b031bb7706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89773, "scanner": "repobility-ast-engine", "fingerprint": "fd824b040e36d7176a1e567a0d96189755a98a798cfe60a9842028538a0c0886", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd824b040e36d7176a1e567a0d96189755a98a798cfe60a9842028538a0c0886"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89772, "scanner": "repobility-ast-engine", "fingerprint": "f22c7c095f7a5fe1677623f3da28a69ddc37816b81ae45109e42cf231438a27e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f22c7c095f7a5fe1677623f3da28a69ddc37816b81ae45109e42cf231438a27e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89771, "scanner": "repobility-ast-engine", "fingerprint": "24dfe9ef13d36946a9ab8da747f7b45c327c82fc79b818879944a3f69c61085d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24dfe9ef13d36946a9ab8da747f7b45c327c82fc79b818879944a3f69c61085d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89770, "scanner": "repobility-ast-engine", "fingerprint": "e226b59436a92c97ef83bdbbd73c0f2da66af732c73716410233ed8025ca28b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e226b59436a92c97ef83bdbbd73c0f2da66af732c73716410233ed8025ca28b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89769, "scanner": "repobility-ast-engine", "fingerprint": "070b9370eec1422b1700ac6eaca8c7d95a98cbb2512f8dbd25a68f45ed8d09d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|070b9370eec1422b1700ac6eaca8c7d95a98cbb2512f8dbd25a68f45ed8d09d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89768, "scanner": "repobility-ast-engine", "fingerprint": "a6da3ba6bbcdd97828bbffe46c62a57a69b8729b2a799098f3d1fca4b1569bb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6da3ba6bbcdd97828bbffe46c62a57a69b8729b2a799098f3d1fca4b1569bb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89767, "scanner": "repobility-ast-engine", "fingerprint": "599a8745e123d9cd8ab57effea71bc48f6ef1325767ccd2b89e94245b5b0f687", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|599a8745e123d9cd8ab57effea71bc48f6ef1325767ccd2b89e94245b5b0f687"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89766, "scanner": "repobility-ast-engine", "fingerprint": "c570bc6555a2e7b78603e54673be7008d729eea6451c977cbceae86c526e9602", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c570bc6555a2e7b78603e54673be7008d729eea6451c977cbceae86c526e9602"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `CustomHTTPRequestHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 89765, "scanner": "repobility-ast-engine", "fingerprint": "55b9ba17b13e551f301d18fb7dfabccf22e647983f8f1cb1b37dd99b28c7d820", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|55b9ba17b13e551f301d18fb7dfabccf22e647983f8f1cb1b37dd99b28c7d820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 89753, "scanner": "repobility-threat-engine", "fingerprint": "bf6c28a258a64f72a1808a7d51cb91ac2e501bcd383957fc105a2b2f532b2b53", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(rf\"{label} \\s*=\\s*(\\d+\\.\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/bench.py|116|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 89751, "scanner": "repobility-threat-engine", "fingerprint": "9503e58eacea63fe96e88e57b84097d8044eda81c5fc6650eba4d5e4a98f9d25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "row.update(times)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9503e58eacea63fe96e88e57b84097d8044eda81c5fc6650eba4d5e4a98f9d25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 89750, "scanner": "repobility-threat-engine", "fingerprint": "88a351fafc359372177758af32055e6bbe3e47b566ba53918acfb2f976400ba6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "torch.save({\"dims\": dims, \"model_state_dict\": state_dict}, whisper_state_path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|88a351fafc359372177758af32055e6bbe3e47b566ba53918acfb2f976400ba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-h5-to-coreml.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 89747, "scanner": "repobility-threat-engine", "fingerprint": "260f379374e9adee50b3cd475554a51bbd2573a9b50766f126b1511c5c5a79ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|260f379374e9adee50b3cd475554a51bbd2573a9b50766f126b1511c5c5a79ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-webgpu/wgsl-shaders/embed_wgsl.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 89746, "scanner": "repobility-threat-engine", "fingerprint": "25dc4ff86de8b68f85c3b4a45fd41deff7175295f37652c9ccf1e65c1ec04908", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|15|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-webgpu/wgsl-shaders/embed_wgsl.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 89738, "scanner": "repobility-threat-engine", "fingerprint": "258c9892b7d49023410fc783f9a921516b67f545a70a80fb1f3bee802dab31df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|258c9892b7d49023410fc783f9a921516b67f545a70a80fb1f3bee802dab31df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-cuda/mmf.cu"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 89737, "scanner": "repobility-threat-engine", "fingerprint": "85e75bf8eeea75fad056f142ac9fd386c51958b04d97a4507563209aa989657f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|85e75bf8eeea75fad056f142ac9fd386c51958b04d97a4507563209aa989657f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-cuda/cumsum.cu"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 89736, "scanner": "repobility-threat-engine", "fingerprint": "22e7773128f8b9898b34b5ce883808d6fb849ebf8b0e24eb2bbb618554075b7f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22e7773128f8b9898b34b5ce883808d6fb849ebf8b0e24eb2bbb618554075b7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-cuda/argsort.cu"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 89730, "scanner": "repobility-threat-engine", "fingerprint": "1d424e0c2c7e6a16af3afd57e3aeaa0aeae7f317ef63147da66ab740c85e7364", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1d424e0c2c7e6a16af3afd57e3aeaa0aeae7f317ef63147da66ab740c85e7364"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android/app/src/main/java/com/whispercppdemo/ui/main/MainScreenViewModel.kt"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 89729, "scanner": "repobility-threat-engine", "fingerprint": "d07a20a1d80c88dbec586aa023299cc077753f930a48cf2861115193b6cb277c", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "os.path.join(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|15|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-webgpu/wgsl-shaders/embed_wgsl.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 89728, "scanner": "repobility-threat-engine", "fingerprint": "c2df25593fd92842fdc5037414f64255743fca2c66f60039dc6e5821a4d92dd1", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(assetPath).use { input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|218|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android/app/src/main/java/com/whispercppdemo/ui/main/MainScreenViewModel.kt"}, "region": {"startLine": 218}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `convert_silero_vad` has cognitive complexity 36 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, continue=1, else=3, for=7, if=7, nested_bonus=13, or=1, ternary=3."}, "properties": {"repobilityId": 89720, "scanner": "repobility-threat-engine", "fingerprint": "9d3aaa248c5f8f2ad11306497d3ac3559f0edc5703ed635525fcc9c407722a94", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 36 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "convert_silero_vad", "breakdown": {"if": 7, "or": 1, "and": 1, "for": 7, "else": 3, "ternary": 3, "continue": 1, "nested_bonus": 13}, "complexity": 36, "correlation_key": "fp|9d3aaa248c5f8f2ad11306497d3ac3559f0edc5703ed635525fcc9c407722a94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/convert-silero-vad-to-ggml.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `do_GET` has cognitive complexity 31 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=3, else=4, if=10, nested_bonus=13, recursion=1."}, "properties": {"repobilityId": 89719, "scanner": "repobility-threat-engine", "fingerprint": "05d66f53dd94cafa8eb9aa42e0f4f63af49f9051df4ee0e77bf8154ad3c30dd5", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 31 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "do_GET", "breakdown": {"if": 10, "elif": 3, "else": 4, "recursion": 1, "nested_bonus": 13}, "complexity": 31, "correlation_key": "fp|05d66f53dd94cafa8eb9aa42e0f4f63af49f9051df4ee0e77bf8154ad3c30dd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 89718, "scanner": "repobility-threat-engine", "fingerprint": "2b9d8e101fbc3d9428cf437322e4881eddd66c00a7f50151149980ff7d88f586", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b9d8e101fbc3d9428cf437322e4881eddd66c00a7f50151149980ff7d88f586"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 89717, "scanner": "repobility-threat-engine", "fingerprint": "630fbda97dcd824fb45c46df30dac10d0237b4bd0dce64a24e043400a1cef122", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|630fbda97dcd824fb45c46df30dac10d0237b4bd0dce64a24e043400a1cef122"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 89716, "scanner": "repobility-threat-engine", "fingerprint": "337362ce7fe1bd5fb2fcc54929041f30162cb74f70a24b2c94021a73fd4c541f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|337362ce7fe1bd5fb2fcc54929041f30162cb74f70a24b2c94021a73fd4c541f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 89715, "scanner": "repobility-threat-engine", "fingerprint": "e2733ec2be44c4c19fc002941aece78e6d1234b5440c2ce02f2f6120e4f66d6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e2733ec2be44c4c19fc002941aece78e6d1234b5440c2ce02f2f6120e4f66d6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/whisper_processor.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 89708, "scanner": "repobility-threat-engine", "fingerprint": "4dff83657184b6bab5fd9450c82f139b7ad757d1511f39dff08246245daf9f23", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4dff83657184b6bab5fd9450c82f139b7ad757d1511f39dff08246245daf9f23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/common-whisper.cpp"}, "region": {"startLine": 237}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 89695, "scanner": "repobility-threat-engine", "fingerprint": "7628536d15b0e396078ffefd76507d9ffd3d9992078f82237d6b8721110b4d05", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(w, \" \", Colorize(token.Text, int(token.P*24.0)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|11|print w colorize token.text int token.p 24.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bindings/go/examples/go-whisper/process.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 89693, "scanner": "repobility-threat-engine", "fingerprint": "75e89241f4728049be0899c7dacabfe0266c69f4f031aa14819319fd7a46df57", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75e89241f4728049be0899c7dacabfe0266c69f4f031aa14819319fd7a46df57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.swiftui/whisper.swiftui.demo/Models/WhisperState.swift"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 89692, "scanner": "repobility-threat-engine", "fingerprint": "9113c762012db2f2d44381de48798b591a0c72ac28bdad0010250ffa6f214f68", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9113c762012db2f2d44381de48798b591a0c72ac28bdad0010250ffa6f214f68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bindings/javascript/libwhisper.worker.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 89691, "scanner": "repobility-threat-engine", "fingerprint": "766eb31d3842ffada59ff24b70eb3858f73d1c1ec34e3d770ec7a2702376f63f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.NewRequest(\"GET\", m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|766eb31d3842ffada59ff24b70eb3858f73d1c1ec34e3d770ec7a2702376f63f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bindings/go/examples/go-model-download/main.go"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 89841, "scanner": "repobility-supply-chain", "fingerprint": "152165d51cbedc6763df19d460b6495d3c402ed5126b4d07ff3d4311646b1ce5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|152165d51cbedc6763df19d460b6495d3c402ed5126b4d07ff3d4311646b1ce5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-quantize.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 89840, "scanner": "repobility-supply-chain", "fingerprint": "c9ab01d005cb74f9b40e0134265f2cd3915673c79296fdb69566bebace97d273", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9ab01d005cb74f9b40e0134265f2cd3915673c79296fdb69566bebace97d273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-cpu.yml"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 89839, "scanner": "repobility-supply-chain", "fingerprint": "87e8dfaa26acbb4873409822999c39df44fc28b92fbb7dd1dc3210a09eec1e8f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|87e8dfaa26acbb4873409822999c39df44fc28b92fbb7dd1dc3210a09eec1e8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-cpu.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 89838, "scanner": "repobility-supply-chain", "fingerprint": "85c4b15c6b50ad7a8241e7df3b2c504e1bddd7840f1e6848079d091d5967c446", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85c4b15c6b50ad7a8241e7df3b2c504e1bddd7840f1e6848079d091d5967c446"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-cpu.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 89837, "scanner": "repobility-supply-chain", "fingerprint": "30eb029283f5e06f420ba2d5570a8194db7dc4b1004b7d7a7e8aa49db5bb887a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|30eb029283f5e06f420ba2d5570a8194db7dc4b1004b7d7a7e8aa49db5bb887a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-cpu.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 89836, "scanner": "repobility-supply-chain", "fingerprint": "ef4ced6395bea3a80e64fb053fc5a318152e28bd5fb8cd6eba8ceade082ddc43", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef4ced6395bea3a80e64fb053fc5a318152e28bd5fb8cd6eba8ceade082ddc43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-cpu.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.HF_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 89835, "scanner": "repobility-supply-chain", "fingerprint": "bc79352ecf2061ba6f1d91779f5b45cbdfc08c312a69819889eac75fa5136588", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc79352ecf2061ba6f1d91779f5b45cbdfc08c312a69819889eac75fa5136588"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/examples.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 89741, "scanner": "repobility-threat-engine", "fingerprint": "307bfab4e027f3ff1ecdedad2e21aef81b9ac03111b2930c9bd7f8838bd6a097", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|307bfab4e027f3ff1ecdedad2e21aef81b9ac03111b2930c9bd7f8838bd6a097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-hexagon/htp/worker-pool.c"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 89740, "scanner": "repobility-threat-engine", "fingerprint": "4c08f567774281305ca4792841c1790187a1c2a09ab0c8cfe2c2d8a46c9514a8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c08f567774281305ca4792841c1790187a1c2a09ab0c8cfe2c2d8a46c9514a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ggml/src/ggml-hexagon/htp-opnode.h"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 89706, "scanner": "repobility-threat-engine", "fingerprint": "d06f50c4b497ff205a529eec4ad316a01ba652a3bb387c17e36e5f19b178eb54", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(totalLength", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d06f50c4b497ff205a529eec4ad316a01ba652a3bb387c17e36e5f19b178eb54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/whisper.android/app/src/main/java/com/whispercppdemo/media/RiffWaveHelper.kt"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 89705, "scanner": "repobility-threat-engine", "fingerprint": "db454d481bf5e2db5e78024b145fb2f182b3087656fd5e8279d67a80db36a4c0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|db454d481bf5e2db5e78024b145fb2f182b3087656fd5e8279d67a80db36a4c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/addon.node/vad-example.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 89704, "scanner": "repobility-threat-engine", "fingerprint": "31fd1a9f50d600c92e13c53ec7a038a2957307974743553a49276033c5fa89fd", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|31fd1a9f50d600c92e13c53ec7a038a2957307974743553a49276033c5fa89fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/addon.node/index.js"}, "region": {"startLine": 7}}}]}]}]}