{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /co"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbook-versions/cookstyle_evaluation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /tools."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /tools."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 44.1% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 44.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 44.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76p7-773f-r4q5", "name": "serialize-javascript: GHSA-76p7-773f-r4q5", "shortDescription": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "fullDescription": {"text": "Cross-site Scripting (XSS) in serialize-javascript"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rw7-vpxm-498p", "name": "qs: GHSA-6rw7-vpxm-498p", "shortDescription": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "fullDescription": {"text": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwcw-c2x4-8c55", "name": "nanoid: GHSA-mwcw-c2x4-8c55", "shortDescription": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "fullDescription": {"text": "Predictable results in nanoid generation when given non-integer values"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rx22-g9mx-qrhv", "name": "rack: GHSA-rx22-g9mx-qrhv", "shortDescription": {"text": "rack: GHSA-rx22-g9mx-qrhv"}, "fullDescription": {"text": "Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qfgr-crr9-7r49", "name": "rack: GHSA-qfgr-crr9-7r49", "shortDescription": {"text": "rack: GHSA-qfgr-crr9-7r49"}, "fullDescription": {"text": "Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g2pf-xv49-m2h5", "name": "rack: GHSA-g2pf-xv49-m2h5", "shortDescription": {"text": "rack: GHSA-g2pf-xv49-m2h5"}, "fullDescription": {"text": "Rack::Request accepts invalid Host characters, enabling host allowlist bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3jfp-46x4-xgfj", "name": "yard: GHSA-3jfp-46x4-xgfj", "shortDescription": {"text": "yard: GHSA-3jfp-46x4-xgfj"}, "fullDescription": {"text": "yard: Possible arbitrary path traversal and file access via yard server"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xv9c-mjw8-79gf", "name": "sidekiq-cron: GHSA-xv9c-mjw8-79gf", "shortDescription": {"text": "sidekiq-cron: GHSA-xv9c-mjw8-79gf"}, "fullDescription": {"text": "Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3qc2-v3hp-6cv8", "name": "sidekiq: GHSA-3qc2-v3hp-6cv8", "shortDescription": {"text": "sidekiq: GHSA-3qc2-v3hp-6cv8"}, "fullDescription": {"text": "sidekiq Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x8cg-fq8g-mxfx", "name": "rack: GHSA-x8cg-fq8g-mxfx", "shortDescription": {"text": "rack: GHSA-x8cg-fq8g-mxfx"}, "fullDescription": {"text": "Rack's multipart byte range processing allows denial of service via excessive overlapping ranges"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-whrj-4476-wvmp", "name": "rack: GHSA-whrj-4476-wvmp", "shortDescription": {"text": "rack: GHSA-whrj-4476-wvmp"}, "fullDescription": {"text": "Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vgpv-f759-9wx3", "name": "rack: GHSA-vgpv-f759-9wx3", "shortDescription": {"text": "rack: GHSA-vgpv-f759-9wx3"}, "fullDescription": {"text": "Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qv7j-4883-hwh7", "name": "rack: GHSA-qv7j-4883-hwh7", "shortDescription": {"text": "rack: GHSA-qv7j-4883-hwh7"}, "fullDescription": {"text": "Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q4qf-9j86-f5mh", "name": "rack: GHSA-q4qf-9j86-f5mh", "shortDescription": {"text": "rack: GHSA-q4qf-9j86-f5mh"}, "fullDescription": {"text": "Rack:: Static header_rules bypass via URL-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q2ww-5357-x388", "name": "rack: GHSA-q2ww-5357-x388", "shortDescription": {"text": "rack: GHSA-q2ww-5357-x388"}, "fullDescription": {"text": "Rack has Content-Length mismatch in Rack::Files error responses"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7mqq-6cf9-v2qp", "name": "rack: GHSA-7mqq-6cf9-v2qp", "shortDescription": {"text": "rack: GHSA-7mqq-6cf9-v2qp"}, "fullDescription": {"text": "Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9hf4-67fc-4vf4", "name": "puma: GHSA-9hf4-67fc-4vf4", "shortDescription": {"text": "puma: GHSA-9hf4-67fc-4vf4"}, "fullDescription": {"text": "Puma's header normalization allows for client to clobber proxy set headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wx95-c6cv-8532", "name": "nokogiri: GHSA-wx95-c6cv-8532", "shortDescription": {"text": "nokogiri: GHSA-wx95-c6cv-8532"}, "fullDescription": {"text": "Nokogiri does not check the return value from xmlC14NExecute"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2fc-qm4h-8hqv", "name": "nokogiri: GHSA-v2fc-qm4h-8hqv", "shortDescription": {"text": "nokogiri: GHSA-v2fc-qm4h-8hqv"}, "fullDescription": {"text": "Nokogiri XSLT transform has a memory leak"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hm49-wcqc-g2xg", "name": "net-imap: GHSA-hm49-wcqc-g2xg", "shortDescription": {"text": "net-imap: GHSA-hm49-wcqc-g2xg"}, "fullDescription": {"text": "net-imap vulnerable to command Injection via \"raw\" arguments to multiple commands"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-87pf-fpwv-p7m7", "name": "net-imap: GHSA-87pf-fpwv-p7m7", "shortDescription": {"text": "net-imap: GHSA-87pf-fpwv-p7m7"}, "fullDescription": {"text": "net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-75xq-5h9v-w6px", "name": "net-imap: GHSA-75xq-5h9v-w6px", "shortDescription": {"text": "net-imap: GHSA-75xq-5h9v-w6px"}, "fullDescription": {"text": "net-imap vulnerable to command Injection via unvalidated Symbol inputs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2m96-52r3-2f3g", "name": "fugit: GHSA-2m96-52r3-2f3g", "shortDescription": {"text": "fugit: GHSA-2m96-52r3-2f3g"}, "fullDescription": {"text": "fugit parse and parse_nat stall on lengthy input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-33mh-2634-fwr2", "name": "faraday: GHSA-33mh-2634-fwr2", "shortDescription": {"text": "faraday: GHSA-33mh-2634-fwr2"}, "fullDescription": {"text": "Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ff6c-w6qf-7xqc", "name": "css_parser: GHSA-ff6c-w6qf-7xqc", "shortDescription": {"text": "css_parser: GHSA-ff6c-w6qf-7xqc"}, "fullDescription": {"text": "CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2xgq-q749-89fq", "name": "aws-sdk-s3: GHSA-2xgq-q749-89fq", "shortDescription": {"text": "aws-sdk-s3: GHSA-2xgq-q749-89fq"}, "fullDescription": {"text": "AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cg4j-q9v8-6v38", "name": "activesupport: GHSA-cg4j-q9v8-6v38", "shortDescription": {"text": "activesupport: GHSA-cg4j-q9v8-6v38"}, "fullDescription": {"text": "Rails Active Support has a possible ReDoS vulnerability in number_to_delimited"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-89vf-4333-qx8v", "name": "activesupport: GHSA-89vf-4333-qx8v", "shortDescription": {"text": "activesupport: GHSA-89vf-4333-qx8v"}, "fullDescription": {"text": "Rails Active Support has a possible XSS vulnerability in SafeBuffer#%"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2j26-frm8-cmj9", "name": "activesupport: GHSA-2j26-frm8-cmj9", "shortDescription": {"text": "activesupport: GHSA-2j26-frm8-cmj9"}, "fullDescription": {"text": "Rails Active Support has a possible DoS vulnerability in its number helpers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r46p-8f7g-vvvg", "name": "activestorage: GHSA-r46p-8f7g-vvvg", "shortDescription": {"text": "activestorage: GHSA-r46p-8f7g-vvvg"}, "fullDescription": {"text": "Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qcfx-2mfw-w4cg", "name": "activestorage: GHSA-qcfx-2mfw-w4cg", "shortDescription": {"text": "activestorage: GHSA-qcfx-2mfw-w4cg"}, "fullDescription": {"text": "Rails Active Storage has possible content type bypass via metadata in direct uploads"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73f9-jhhh-hr5m", "name": "activestorage: GHSA-73f9-jhhh-hr5m", "shortDescription": {"text": "activestorage: GHSA-73f9-jhhh-hr5m"}, "fullDescription": {"text": "Rails Active Storage has possible glob injection in its DiskService"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `chai` is 5 major version(s) behind (1.8.1 -> 6.2.2)", "shortDescription": {"text": "npm package `chai` is 5 major version(s) behind (1.8.1 -> 6.2.2)"}, "fullDescription": {"text": "`chai` is pinned/resolved at 1.8.1 but the latest stable release on the npm registry is 6.2.2 (5 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-52f5-9888-hmc6", "name": "tmp: GHSA-52f5-9888-hmc6", "shortDescription": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "fullDescription": {"text": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w7fw-mjwx-w883", "name": "qs: GHSA-w7fw-mjwx-w883", "shortDescription": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "fullDescription": {"text": "qs's arrayLimit bypass in comma parsing allows denial of service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pxg6-pf52-xh8x", "name": "cookie: GHSA-pxg6-pf52-xh8x", "shortDescription": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "fullDescription": {"text": "cookie accepts cookie name, path, and domain with out of bounds characters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j4pr-3wm6-xx2r", "name": "uri: GHSA-j4pr-3wm6-xx2r", "shortDescription": {"text": "uri: GHSA-j4pr-3wm6-xx2r"}, "fullDescription": {"text": "URI Credential Leakage Bypass over CVE-2025-27221"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5rv5-xj5j-3484", "name": "faraday: GHSA-5rv5-xj5j-3484", "shortDescription": {"text": "faraday: GHSA-5rv5-xj5j-3484"}, "fullDescription": {"text": "Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2f4-jgmc-q2r5", "name": "rexml: GHSA-c2f4-jgmc-q2r5", "shortDescription": {"text": "rexml: GHSA-c2f4-jgmc-q2r5"}, "fullDescription": {"text": "REXML has DoS condition when parsing malformed XML file"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q2mw-fvj9-vvcw", "name": "net-imap: GHSA-q2mw-fvj9-vvcw", "shortDescription": {"text": "net-imap: GHSA-q2mw-fvj9-vvcw"}, "fullDescription": {"text": "net-imap has quadratic complexity when reading response literals"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9fm-f462-ggrg", "name": "activestorage: GHSA-p9fm-f462-ggrg", "shortDescription": {"text": "activestorage: GHSA-p9fm-f462-ggrg"}, "fullDescription": {"text": "Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v55j-83pf-r9cq", "name": "actionview: GHSA-v55j-83pf-r9cq", "shortDescription": {"text": "actionview: GHSA-v55j-83pf-r9cq"}, "fullDescription": {"text": "Rails has a possible XSS vulnerability in its Action View tag helpers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a loopback host port", "shortDescription": {"text": "Database service publishes a loopback host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC109", "name": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled (and 1 more): Same pattern found in 1 additional ", "shortDescription": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Remove the skip. For pure-API controllers, inherit from ActionController::API instead (which doesn't include forgery protection). For Bearer-auth APIs, use `protect_from_forgery with: :null_session` only on those specific controllers."}, "properties": {"scanner": "repobility-threat-engine", "category": "csrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC097", "name": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing (and 1 more): Same pattern found in 1 additional files", "shortDescription": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Set `config.force_ssl = true` in production.rb. Use `protect_from_forgery with: :exception`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /cookbooks/:id/transfer_owners"}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /cookbooks/:id/transfer_ownership."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-677m-j7p3-52f9", "name": "socket.io-parser: GHSA-677m-j7p3-52f9", "shortDescription": {"text": "socket.io-parser: GHSA-677m-j7p3-52f9"}, "fullDescription": {"text": "socket.io allows an unbounded number of binary attachments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6x5-cg8r-vv6x", "name": "rack: GHSA-v6x5-cg8r-vv6x", "shortDescription": {"text": "rack: GHSA-v6x5-cg8r-vv6x"}, "fullDescription": {"text": "Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c4r5-fxqw-vh93", "name": "ruby-lsp: GHSA-c4r5-fxqw-vh93", "shortDescription": {"text": "ruby-lsp: GHSA-c4r5-fxqw-vh93"}, "fullDescription": {"text": "Ruby LSP has arbitrary code execution through branch setting"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v569-hp3g-36wr", "name": "rack: GHSA-v569-hp3g-36wr", "shortDescription": {"text": "rack: GHSA-v569-hp3g-36wr"}, "fullDescription": {"text": "Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mxw3-3hh2-x2mh", "name": "rack: GHSA-mxw3-3hh2-x2mh", "shortDescription": {"text": "rack: GHSA-mxw3-3hh2-x2mh"}, "fullDescription": {"text": "Rack has a Directory Traversal via Rack:Directory"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h2jq-g4cq-5ppq", "name": "rack: GHSA-h2jq-g4cq-5ppq", "shortDescription": {"text": "rack: GHSA-h2jq-g4cq-5ppq"}, "fullDescription": {"text": "Rack::Static prefix matching can expose unintended files under the static root"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8vqr-qjwx-82mw", "name": "rack: GHSA-8vqr-qjwx-82mw", "shortDescription": {"text": "rack: GHSA-8vqr-qjwx-82mw"}, "fullDescription": {"text": "Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c4rq-3m3g-8wgx", "name": "nokogiri: GHSA-c4rq-3m3g-8wgx", "shortDescription": {"text": "nokogiri: GHSA-c4rq-3m3g-8wgx"}, "fullDescription": {"text": "Nokogiri CSS selector tokenizer has regular expression backtracking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vcgp-9326-pqcp", "name": "net-imap: GHSA-vcgp-9326-pqcp", "shortDescription": {"text": "net-imap: GHSA-vcgp-9326-pqcp"}, "fullDescription": {"text": "net-imap vulnerable to STARTTLS stripping via invalid response timing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c32j-vqhx-rx3x", "name": "jwt: GHSA-c32j-vqhx-rx3x", "shortDescription": {"text": "jwt: GHSA-c32j-vqhx-rx3x"}, "fullDescription": {"text": "ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q339-8rmv-2mhv", "name": "erb: GHSA-q339-8rmv-2mhv", "shortDescription": {"text": "erb: GHSA-q339-8rmv-2mhv"}, "fullDescription": {"text": "ERB has an @_init deserialization guard bypass via def_module / def_method / def_class"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h27x-rffw-24p4", "name": "addressable: GHSA-h27x-rffw-24p4", "shortDescription": {"text": "addressable: GHSA-h27x-rffw-24p4"}, "fullDescription": {"text": "Addressable has a Regular Expression Denial of Service in Addressable templates"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9xrj-h377-fr87", "name": "activestorage: GHSA-9xrj-h377-fr87", "shortDescription": {"text": "activestorage: GHSA-9xrj-h377-fr87"}, "fullDescription": {"text": "Rails Active Storage has possible Path Traversal in DiskService"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5039", "name": "stdlib: GO-2026-5039", "shortDescription": {"text": "stdlib: GO-2026-5039"}, "fullDescription": {"text": "Arbitrary inputs are included in errors without any escaping in net/textproto"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5038", "name": "stdlib: GO-2026-5038", "shortDescription": {"text": "stdlib: GO-2026-5038"}, "fullDescription": {"text": "Quadratic complexity in WordDecoder.DecodeHeader in mime"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5037", "name": "stdlib: GO-2026-5037", "shortDescription": {"text": "stdlib: GO-2026-5037"}, "fullDescription": {"text": "Inefficient candidate hostname parsing in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4986", "name": "stdlib: GO-2026-4986", "shortDescription": {"text": "stdlib: GO-2026-4986"}, "fullDescription": {"text": "Quadratic string concatentation in consumeComment in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4982", "name": "stdlib: GO-2026-4982", "shortDescription": {"text": "stdlib: GO-2026-4982"}, "fullDescription": {"text": "Bypass of meta content URL escaping causes XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4981", "name": "stdlib: GO-2026-4981", "shortDescription": {"text": "stdlib: GO-2026-4981"}, "fullDescription": {"text": "Crash when handling long CNAME response in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4980", "name": "stdlib: GO-2026-4980", "shortDescription": {"text": "stdlib: GO-2026-4980"}, "fullDescription": {"text": "Escaper bypass leads to XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4977", "name": "stdlib: GO-2026-4977", "shortDescription": {"text": "stdlib: GO-2026-4977"}, "fullDescription": {"text": "Quadratic string concatenation in consumePhrase in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4976", "name": "stdlib: GO-2026-4976", "shortDescription": {"text": "stdlib: GO-2026-4976"}, "fullDescription": {"text": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4971", "name": "stdlib: GO-2026-4971", "shortDescription": {"text": "stdlib: GO-2026-4971"}, "fullDescription": {"text": "Panic in Dial and LookupPort when handling NUL byte on Windows in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4947", "name": "stdlib: GO-2026-4947", "shortDescription": {"text": "stdlib: GO-2026-4947"}, "fullDescription": {"text": "Unexpected work during chain building in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4946", "name": "stdlib: GO-2026-4946", "shortDescription": {"text": "stdlib: GO-2026-4946"}, "fullDescription": {"text": "Inefficient policy validation in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4918", "name": "stdlib: GO-2026-4918", "shortDescription": {"text": "stdlib: GO-2026-4918"}, "fullDescription": {"text": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4870", "name": "stdlib: GO-2026-4870", "shortDescription": {"text": "stdlib: GO-2026-4870"}, "fullDescription": {"text": "Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4869", "name": "stdlib: GO-2026-4869", "shortDescription": {"text": "stdlib: GO-2026-4869"}, "fullDescription": {"text": "Unbounded allocation for old GNU sparse in archive/tar"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4865", "name": "stdlib: GO-2026-4865", "shortDescription": {"text": "stdlib: GO-2026-4865"}, "fullDescription": {"text": "JsBraceDepth Context Tracking Bugs (XSS) in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4864", "name": "stdlib: GO-2026-4864", "shortDescription": {"text": "stdlib: GO-2026-4864"}, "fullDescription": {"text": "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4603", "name": "stdlib: GO-2026-4603", "shortDescription": {"text": "stdlib: GO-2026-4603"}, "fullDescription": {"text": "URLs in meta content attribute actions are not escaped in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4602", "name": "stdlib: GO-2026-4602", "shortDescription": {"text": "stdlib: GO-2026-4602"}, "fullDescription": {"text": "FileInfo can escape from a Root in os"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4601", "name": "stdlib: GO-2026-4601", "shortDescription": {"text": "stdlib: GO-2026-4601"}, "fullDescription": {"text": "Incorrect parsing of IPv6 host literals in net/url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4403", "name": "stdlib: GO-2026-4403", "shortDescription": {"text": "stdlib: GO-2026-4403"}, "fullDescription": {"text": "Improper access to parent directory of root in os"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4342", "name": "stdlib: GO-2026-4342", "shortDescription": {"text": "stdlib: GO-2026-4342"}, "fullDescription": {"text": "Excessive CPU consumption when building archive index in archive/zip"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4341", "name": "stdlib: GO-2026-4341", "shortDescription": {"text": "stdlib: GO-2026-4341"}, "fullDescription": {"text": "Memory exhaustion in query parameter parsing in net/url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4340", "name": "stdlib: GO-2026-4340", "shortDescription": {"text": "stdlib: GO-2026-4340"}, "fullDescription": {"text": "Handshake messages may be processed at the incorrect encryption level in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4337", "name": "stdlib: GO-2026-4337", "shortDescription": {"text": "stdlib: GO-2026-4337"}, "fullDescription": {"text": "Unexpected session resumption in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4175", "name": "stdlib: GO-2025-4175", "shortDescription": {"text": "stdlib: GO-2025-4175"}, "fullDescription": {"text": "Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4155", "name": "stdlib: GO-2025-4155", "shortDescription": {"text": "stdlib: GO-2025-4155"}, "fullDescription": {"text": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4015", "name": "stdlib: GO-2025-4015", "shortDescription": {"text": "stdlib: GO-2025-4015"}, "fullDescription": {"text": "Excessive CPU consumption in Reader.ReadResponse in net/textproto"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4014", "name": "stdlib: GO-2025-4014", "shortDescription": {"text": "stdlib: GO-2025-4014"}, "fullDescription": {"text": "Unbounded allocation when parsing GNU sparse map in archive/tar"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4013", "name": "stdlib: GO-2025-4013", "shortDescription": {"text": "stdlib: GO-2025-4013"}, "fullDescription": {"text": "Panic when validating certificates with DSA public keys in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4012", "name": "stdlib: GO-2025-4012", "shortDescription": {"text": "stdlib: GO-2025-4012"}, "fullDescription": {"text": "Lack of limit when parsing cookies can cause memory exhaustion in net/http"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4011", "name": "stdlib: GO-2025-4011", "shortDescription": {"text": "stdlib: GO-2025-4011"}, "fullDescription": {"text": "Parsing DER payload can cause memory exhaustion in encoding/asn1"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4010", "name": "stdlib: GO-2025-4010", "shortDescription": {"text": "stdlib: GO-2025-4010"}, "fullDescription": {"text": "Insufficient validation of bracketed IPv6 hostnames in net/url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4009", "name": "stdlib: GO-2025-4009", "shortDescription": {"text": "stdlib: GO-2025-4009"}, "fullDescription": {"text": "Quadratic complexity when parsing some invalid inputs in encoding/pem"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4008", "name": "stdlib: GO-2025-4008", "shortDescription": {"text": "stdlib: GO-2025-4008"}, "fullDescription": {"text": "ALPN negotiation error contains attacker controlled information in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4007", "name": "stdlib: GO-2025-4007", "shortDescription": {"text": "stdlib: GO-2025-4007"}, "fullDescription": {"text": "Quadratic complexity when checking name constraints in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4006", "name": "stdlib: GO-2025-4006", "shortDescription": {"text": "stdlib: GO-2025-4006"}, "fullDescription": {"text": "Excessive CPU consumption in ParseAddress in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3956", "name": "stdlib: GO-2025-3956", "shortDescription": {"text": "stdlib: GO-2025-3956"}, "fullDescription": {"text": "Unexpected paths returned from LookPath in os/exec"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3849", "name": "stdlib: GO-2025-3849", "shortDescription": {"text": "stdlib: GO-2025-3849"}, "fullDescription": {"text": "Incorrect results returned from Rows.Scan in database/sql"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3751", "name": "stdlib: GO-2025-3751", "shortDescription": {"text": "stdlib: GO-2025-3751"}, "fullDescription": {"text": "Sensitive headers not cleared on cross-origin redirect in net/http"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3750", "name": "stdlib: GO-2025-3750", "shortDescription": {"text": "stdlib: GO-2025-3750"}, "fullDescription": {"text": "Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3563", "name": "stdlib: GO-2025-3563", "shortDescription": {"text": "stdlib: GO-2025-3563"}, "fullDescription": {"text": "Request smuggling due to acceptance of invalid chunked data in net/http"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3503", "name": "stdlib: GO-2025-3503", "shortDescription": {"text": "stdlib: GO-2025-3503"}, "fullDescription": {"text": "HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC080", "name": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-", "shortDescription": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "fullDescription": {"text": "Add `filter='data'` (Python \u2265 3.12) or manually validate member paths against `os.path.abspath`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v1`", "shortDescription": {"text": "Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v1`"}, "fullDescription": {"text": "`uses: github/codeql-action/upload-sarif@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `redis:latest` unpinned", "shortDescription": {"text": "Workflow container/services image `redis:latest` unpinned"}, "fullDescription": {"text": "`container/services image: redis:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-33qg-7wpp-89cq", "name": "rack-session: GHSA-33qg-7wpp-89cq", "shortDescription": {"text": "rack-session: GHSA-33qg-7wpp-89cq"}, "fullDescription": {"text": "Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1178"}, "properties": {"repository": "chef/supermarket", "repoUrl": "https://github.com/chef/supermarket", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 118259, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbook-versions/cookstyle_evaluation."}, "properties": {"repobilityId": 118257, "scanner": "repobility-access-control", "fingerprint": "a54db0422a10387ce006dd06c706393a89d8f5dd8416c257ae516dceed73e8b5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookbook-versions/cookstyle_evaluation", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|27|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 27}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /users/:user."}, "properties": {"repobilityId": 118256, "scanner": "repobility-access-control", "fingerprint": "7a4119f718da1fe5b8b79ea92b0267ac3e6cdef4b3cd6a7a0046222d63ee79a9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users/:user", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|23|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 23}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/versions/:version."}, "properties": {"repobilityId": 118255, "scanner": "repobility-access-control", "fingerprint": "1c0b4e0479ca81c71a795c9a805186af1f5faa21f4af9ffec62d1b9d8b788769", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookbooks/:cookbook/versions/:version", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|22|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook."}, "properties": {"repobilityId": 118254, "scanner": "repobility-access-control", "fingerprint": "2635238798d373454528fdf2ef6c541bf88ad38df00da6fdcb9ea9db4beb0acd", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookbooks/:cookbook", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|21|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 21}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks."}, "properties": {"repobilityId": 118253, "scanner": "repobility-access-control", "fingerprint": "bccb96f1d91bb4a9aa9ec569177e8e5c4d41f6ad61c25a1c2346baef016e081f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookbooks", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|20|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 20}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/versions/:version/download."}, "properties": {"repobilityId": 118252, "scanner": "repobility-access-control", "fingerprint": "a597c73ca73e20460e7cfe38961a7cae2a9b97a0272c6b05909def0d37a9171a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookbooks/:cookbook/versions/:version/download", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|19|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 19}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/versions/:version."}, "properties": {"repobilityId": 118251, "scanner": "repobility-access-control", "fingerprint": "9ece3ccf04ca6a10357bb8de20e8b18e971be1d2020432745972e6e231b8a18e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookbooks/:cookbook/versions/:version", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|18|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/contingent."}, "properties": {"repobilityId": 118250, "scanner": "repobility-access-control", "fingerprint": "56ca747721aaab78e2e70014d56888a355b565369f9bda37df8e57d2fb16f623", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookbooks/:cookbook/contingent", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|17|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 17}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook."}, "properties": {"repobilityId": 118249, "scanner": "repobility-access-control", "fingerprint": "13b57831f10fa900fa49657c491be2de381997eeff219ce6a71128e4d8a46a36", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookbooks/:cookbook", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|16|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /search."}, "properties": {"repobilityId": 118248, "scanner": "repobility-access-control", "fingerprint": "3fd0b91c0c33ffd78828061c44ab7dc1dd0c5e2e5f90555f2e85d5c39c9f13e8", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/search", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|15|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /tools."}, "properties": {"repobilityId": 118247, "scanner": "repobility-access-control", "fingerprint": "b5cbb9334fecd2f120606dc559c9899e8f5adfedda7b3a2226fccb1e7a306f91", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tools", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|104|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 104}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /group_members."}, "properties": {"repobilityId": 118246, "scanner": "repobility-access-control", "fingerprint": "4f2b7cdbe6704c56adb70e1c52632fe08e482c68cb55ac8ce1810b3df0988e84", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/group_members", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|98|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 98}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /groups."}, "properties": {"repobilityId": 118245, "scanner": "repobility-access-control", "fingerprint": "8b698475b086607a7a8451ae0e86b2c04d9a6acb26a29b00705066513f00a545", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/groups", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|96|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 96}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /accounts."}, "properties": {"repobilityId": 118244, "scanner": "repobility-access-control", "fingerprint": "39bdf731c28f55e574120920e39408a5ea515607d3dac00c5466668dd5cd2152", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/accounts", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|93|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 93}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /users."}, "properties": {"repobilityId": 118243, "scanner": "repobility-access-control", "fingerprint": "d51d5c4e64c7399ec85212de6e97d7da86157899a5a589e259cf43561eb19d15", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|83|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 83}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 44.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 118241, "scanner": "repobility-access-control", "fingerprint": "d0507c4612f32b9604a70c70eeb1a4fd096a276b674ac74d452f67052c45f7c5", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 59, "correlation_key": "fp|d0507c4612f32b9604a70c70eeb1a4fd096a276b674ac74d452f67052c45f7c5", "auth_visible_percent": 44.1}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 118240, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Rails"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 118239, "scanner": "osv-scanner", "fingerprint": "f9e568f9788f5961723b77645835c9dbe753fbade75242463862f9888d92cd0b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 118235, "scanner": "osv-scanner", "fingerprint": "9eb1299616dd8ec3f3605691eb8090663544a3e7956655e8ae49996c619dfb53", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76p7-773f-r4q5", "level": "warning", "message": {"text": "serialize-javascript: GHSA-76p7-773f-r4q5"}, "properties": {"repobilityId": 118234, "scanner": "osv-scanner", "fingerprint": "278073298d8ce47014b04f3d7a39e101c9505e8150b31cacaa0e72a3209d0afb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-11831"], "package": "serialize-javascript", "rule_id": "GHSA-76p7-773f-r4q5", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2024-11831|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 118231, "scanner": "osv-scanner", "fingerprint": "fed55e775839af82503f9331727a357ea3d73acc62abb185a9a9d102e874073f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 118230, "scanner": "osv-scanner", "fingerprint": "ddd5571158a529ffd61401a0532e241bc67c0524639536f3eee3f0a5dbd1a31f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 118228, "scanner": "osv-scanner", "fingerprint": "8be9e4937424b46f55a247d4561aba1fba0d76cddf00d94f35a07f8cecd0253b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwcw-c2x4-8c55", "level": "warning", "message": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "properties": {"repobilityId": 118227, "scanner": "osv-scanner", "fingerprint": "7cb47842ee8586bdf08d90aecd1963e4f114ef678539f0b18cee94e2fffd986f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-55565"], "package": "nanoid", "rule_id": "GHSA-mwcw-c2x4-8c55", "scanner": "osv-scanner", "correlation_key": "vuln|nanoid|CVE-2024-55565|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 118223, "scanner": "osv-scanner", "fingerprint": "9d7a99d29c20d22c0b1a8fa25b4e46cb91beab817e23e0209a6ab2310b3d829b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 118221, "scanner": "osv-scanner", "fingerprint": "4abc4d88da2513ee52ac3804462be85922daaaac88d9513e3c3da0037f82491f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 118220, "scanner": "osv-scanner", "fingerprint": "196511591a3146df05003cc50d1ce12ad8ab8e8c070b6e7fe947b3646825018b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 118219, "scanner": "osv-scanner", "fingerprint": "528d99651162d88b8ac1f695563399f7665260378ecdc6b8da75f5cd73ddcb30", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 118213, "scanner": "osv-scanner", "fingerprint": "f5c9c6d7804761a2c281ec2016883c7c26fde17ade3d95385bbd911927f9b0da", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rx22-g9mx-qrhv", "level": "warning", "message": {"text": "rack: GHSA-rx22-g9mx-qrhv"}, "properties": {"repobilityId": 118209, "scanner": "osv-scanner", "fingerprint": "867a501aff75f8537cd2b98e8762e65f60e6308930462340333708d66bb16548", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26962"], "package": "rack", "rule_id": "GHSA-rx22-g9mx-qrhv", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-26962|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qfgr-crr9-7r49", "level": "warning", "message": {"text": "rack: GHSA-qfgr-crr9-7r49"}, "properties": {"repobilityId": 118208, "scanner": "osv-scanner", "fingerprint": "41167a56f8c9d773650106770bb6903177232c32620cf8431d15b52f17ea2b7b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32762"], "package": "rack", "rule_id": "GHSA-qfgr-crr9-7r49", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-32762|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g2pf-xv49-m2h5", "level": "warning", "message": {"text": "rack: GHSA-g2pf-xv49-m2h5"}, "properties": {"repobilityId": 118207, "scanner": "osv-scanner", "fingerprint": "c1595d20e12df68f95c1747b9b0ec798dff0f1abd98c77f88b28357dbe952c51", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34835"], "package": "rack", "rule_id": "GHSA-g2pf-xv49-m2h5", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34835|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3jfp-46x4-xgfj", "level": "warning", "message": {"text": "yard: GHSA-3jfp-46x4-xgfj"}, "properties": {"repobilityId": 118205, "scanner": "osv-scanner", "fingerprint": "dc0ac6283113c13ca68244cdd3f57e49538f9f5e2460b3ebdb637148547179b5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41493"], "package": "yard", "rule_id": "GHSA-3jfp-46x4-xgfj", "scanner": "osv-scanner", "correlation_key": "vuln|yard|CVE-2026-41493|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xv9c-mjw8-79gf", "level": "warning", "message": {"text": "sidekiq-cron: GHSA-xv9c-mjw8-79gf"}, "properties": {"repobilityId": 118204, "scanner": "osv-scanner", "fingerprint": "84fc101334d0273c132a640ffb56fb75c88f9d4ebfc849052e430f488d21373a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-67202"], "package": "sidekiq-cron", "rule_id": "GHSA-xv9c-mjw8-79gf", "scanner": "osv-scanner", "correlation_key": "vuln|sidekiq-cron|CVE-2025-67202|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3qc2-v3hp-6cv8", "level": "warning", "message": {"text": "sidekiq: GHSA-3qc2-v3hp-6cv8"}, "properties": {"repobilityId": 118203, "scanner": "osv-scanner", "fingerprint": "641c458fc7b46b341868db4179be7a4baa0435e841af3c4b976468381efce126", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26141"], "package": "sidekiq", "rule_id": "GHSA-3qc2-v3hp-6cv8", "scanner": "osv-scanner", "correlation_key": "vuln|sidekiq|CVE-2023-26141|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x8cg-fq8g-mxfx", "level": "warning", "message": {"text": "rack: GHSA-x8cg-fq8g-mxfx"}, "properties": {"repobilityId": 118200, "scanner": "osv-scanner", "fingerprint": "ffa33b03fc363916c6ab49bee7a30701aeea8458b432d871a03fa2cc79bc3a72", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34826"], "package": "rack", "rule_id": "GHSA-x8cg-fq8g-mxfx", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34826|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-x8cg-fq8g-mxfx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8e1115e8cd7f78dd56c7aaab5ac653a52c679a34d27d016f8357c4203a741ec9", "ffa33b03fc363916c6ab49bee7a30701aeea8458b432d871a03fa2cc79bc3a72"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-whrj-4476-wvmp", "level": "warning", "message": {"text": "rack: GHSA-whrj-4476-wvmp"}, "properties": {"repobilityId": 118199, "scanner": "osv-scanner", "fingerprint": "1ce05d339c3b758960f460e46f9389c9909dce1543231cc0210c2e59090d03b9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25500"], "package": "rack", "rule_id": "GHSA-whrj-4476-wvmp", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-25500|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-whrj-4476-wvmp"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1ce05d339c3b758960f460e46f9389c9909dce1543231cc0210c2e59090d03b9", "4a876de5512f4ffcb0f26227ceff0d041e1f6d45e7be9f16fb1b8e56f8bda1eb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vgpv-f759-9wx3", "level": "warning", "message": {"text": "rack: GHSA-vgpv-f759-9wx3"}, "properties": {"repobilityId": 118198, "scanner": "osv-scanner", "fingerprint": "5590a3d70f87d19f7d891851bc88b124b3cce18b0209aa73513e5efd098a189d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-26961"], "package": "rack", "rule_id": "GHSA-vgpv-f759-9wx3", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-26961|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-vgpv-f759-9wx3"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5590a3d70f87d19f7d891851bc88b124b3cce18b0209aa73513e5efd098a189d", "6f06e3ee3d5f2811f4a12f1cabc193136748d9279aef69a98b2ba514f25a341a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qv7j-4883-hwh7", "level": "warning", "message": {"text": "rack: GHSA-qv7j-4883-hwh7"}, "properties": {"repobilityId": 118196, "scanner": "osv-scanner", "fingerprint": "243af2068cfabb1c44624ed3af48727497e334ab6be321ec5d839959a18c0465", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34830"], "package": "rack", "rule_id": "GHSA-qv7j-4883-hwh7", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34830|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qv7j-4883-hwh7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["243af2068cfabb1c44624ed3af48727497e334ab6be321ec5d839959a18c0465", "6e2e0ddfae38614c019fa9a1901d4e5bd5670599cfcbfdcab0500d502063ac70"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q4qf-9j86-f5mh", "level": "warning", "message": {"text": "rack: GHSA-q4qf-9j86-f5mh"}, "properties": {"repobilityId": 118195, "scanner": "osv-scanner", "fingerprint": "1fe05762443127ef1bf05272c4f9eae11ff5a3e6aac491634f982ddd9ab73f2e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34786"], "package": "rack", "rule_id": "GHSA-q4qf-9j86-f5mh", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34786|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-q4qf-9j86-f5mh"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["06f5d0e06629b7d418b40938b86f16a7b87b14f7ed74ffb84c4a093250fe90e5", "1fe05762443127ef1bf05272c4f9eae11ff5a3e6aac491634f982ddd9ab73f2e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q2ww-5357-x388", "level": "warning", "message": {"text": "rack: GHSA-q2ww-5357-x388"}, "properties": {"repobilityId": 118194, "scanner": "osv-scanner", "fingerprint": "d0ccc52c578b3b47c910f490ee0eded52d1cd16721778f40fd93b46e1c3e83e1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34831"], "package": "rack", "rule_id": "GHSA-q2ww-5357-x388", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34831|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-q2ww-5357-x388"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5faa8257b3a7b0a06524769f5b189243fc41b15160c54e1dc4564a4194952cd8", "d0ccc52c578b3b47c910f490ee0eded52d1cd16721778f40fd93b46e1c3e83e1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7mqq-6cf9-v2qp", "level": "warning", "message": {"text": "rack: GHSA-7mqq-6cf9-v2qp"}, "properties": {"repobilityId": 118190, "scanner": "osv-scanner", "fingerprint": "5f91e1f790dfce72b70c5c833b7b6cd515f1bb8629168c6951249e054cd536fa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34763"], "package": "rack", "rule_id": "GHSA-7mqq-6cf9-v2qp", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34763|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-7mqq-6cf9-v2qp"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5f91e1f790dfce72b70c5c833b7b6cd515f1bb8629168c6951249e054cd536fa", "915b8fdfc563b9804d7246a5172cf7ed2165f190c59f6240d6a783598d9de40b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9hf4-67fc-4vf4", "level": "warning", "message": {"text": "puma: GHSA-9hf4-67fc-4vf4"}, "properties": {"repobilityId": 118189, "scanner": "osv-scanner", "fingerprint": "ce17be4fcce18676d931ff13e8f7f31a0885fc6af5785f0970daebf25e9a434f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45614"], "package": "puma", "rule_id": "GHSA-9hf4-67fc-4vf4", "scanner": "osv-scanner", "correlation_key": "vuln|puma|CVE-2024-45614|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wx95-c6cv-8532", "level": "warning", "message": {"text": "nokogiri: GHSA-wx95-c6cv-8532"}, "properties": {"repobilityId": 118188, "scanner": "osv-scanner", "fingerprint": "ed9c0fd63387ddbd241be5d79bc57621f054e33f1134b25d68844de529524b81", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "nokogiri", "rule_id": "GHSA-wx95-c6cv-8532", "scanner": "osv-scanner", "correlation_key": "vuln|nokogiri|GHSA-WX95-C6CV-8532|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-wx95-c6cv-8532"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["95807cbbd216c3444ad32c04f8efdedb1cb5a1ef75746ab17222ca8f2c8b7816", "ed9c0fd63387ddbd241be5d79bc57621f054e33f1134b25d68844de529524b81"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2fc-qm4h-8hqv", "level": "warning", "message": {"text": "nokogiri: GHSA-v2fc-qm4h-8hqv"}, "properties": {"repobilityId": 118187, "scanner": "osv-scanner", "fingerprint": "03d7a71c972d5895ede6a6f87ea60eab958ce31128a1436a362412823ff66d31", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "nokogiri", "rule_id": "GHSA-v2fc-qm4h-8hqv", "scanner": "osv-scanner", "correlation_key": "vuln|nokogiri|GHSA-V2FC-QM4H-8HQV|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-v2fc-qm4h-8hqv"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["03d7a71c972d5895ede6a6f87ea60eab958ce31128a1436a362412823ff66d31", "890d6c23a292d0833a35d4d72b3a5e4afc6411640f1ca0a5b697275d70678b70"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hm49-wcqc-g2xg", "level": "warning", "message": {"text": "net-imap: GHSA-hm49-wcqc-g2xg"}, "properties": {"repobilityId": 118183, "scanner": "osv-scanner", "fingerprint": "9e6873d37635dad8abb781135967a3fbabddf01f6ac18bba66aa1755a8aeb7ca", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-42257"], "package": "net-imap", "rule_id": "GHSA-hm49-wcqc-g2xg", "scanner": "osv-scanner", "correlation_key": "vuln|net-imap|CVE-2026-42257|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-hm49-wcqc-g2xg"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["9e6873d37635dad8abb781135967a3fbabddf01f6ac18bba66aa1755a8aeb7ca", "da712ea44746a645da0d5cfdc0e47ca3409c024910d00c0786f196b80cf4bf46"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-87pf-fpwv-p7m7", "level": "warning", "message": {"text": "net-imap: GHSA-87pf-fpwv-p7m7"}, "properties": {"repobilityId": 118182, "scanner": "osv-scanner", "fingerprint": "d1bcbf09b82fd63c018d74b691d63caff0b10396db18a85034ad3efdbc09420a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-42256"], "package": "net-imap", "rule_id": "GHSA-87pf-fpwv-p7m7", "scanner": "osv-scanner", "correlation_key": "vuln|net-imap|CVE-2026-42256|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-87pf-fpwv-p7m7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6f84fad4f9488898bc939d137fd7cc05a98027c42995c770cc0a03a4449aaddf", "d1bcbf09b82fd63c018d74b691d63caff0b10396db18a85034ad3efdbc09420a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-75xq-5h9v-w6px", "level": "warning", "message": {"text": "net-imap: GHSA-75xq-5h9v-w6px"}, "properties": {"repobilityId": 118181, "scanner": "osv-scanner", "fingerprint": "07fd4c81a690757545c9f570210cb1399741b913648eb87e60d46ad6b79cbe6d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-42258"], "package": "net-imap", "rule_id": "GHSA-75xq-5h9v-w6px", "scanner": "osv-scanner", "correlation_key": "vuln|net-imap|CVE-2026-42258|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-75xq-5h9v-w6px"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["07fd4c81a690757545c9f570210cb1399741b913648eb87e60d46ad6b79cbe6d", "ae3a41d188a92f5d4e0759251b0ccf5d4777d36df5f8162b9644bed87e998904"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2m96-52r3-2f3g", "level": "warning", "message": {"text": "fugit: GHSA-2m96-52r3-2f3g"}, "properties": {"repobilityId": 118179, "scanner": "osv-scanner", "fingerprint": "669747086b942973079ab0c894dce3267b6e225c621ef8c38f633b16e519ccac", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-43380"], "package": "fugit", "rule_id": "GHSA-2m96-52r3-2f3g", "scanner": "osv-scanner", "correlation_key": "vuln|fugit|CVE-2024-43380|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-33mh-2634-fwr2", "level": "warning", "message": {"text": "faraday: GHSA-33mh-2634-fwr2"}, "properties": {"repobilityId": 118178, "scanner": "osv-scanner", "fingerprint": "17589632909ed770bd304d84fc039910972c386486cc3d89019099551707bfeb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25765"], "package": "faraday", "rule_id": "GHSA-33mh-2634-fwr2", "scanner": "osv-scanner", "correlation_key": "vuln|faraday|CVE-2026-25765|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-33mh-2634-fwr2"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["17589632909ed770bd304d84fc039910972c386486cc3d89019099551707bfeb", "a9b52f362f6f11937b4dedc7d2ac4eb3c00d571bf5dcd137b9efd0e404333f96"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ff6c-w6qf-7xqc", "level": "warning", "message": {"text": "css_parser: GHSA-ff6c-w6qf-7xqc"}, "properties": {"repobilityId": 118176, "scanner": "osv-scanner", "fingerprint": "1d7cae6a832e88b5282d7d92b5e33d81a95de3a83b2314ca36042a108fa9e4d4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44312"], "package": "css_parser", "rule_id": "GHSA-ff6c-w6qf-7xqc", "scanner": "osv-scanner", "correlation_key": "vuln|css_parser|CVE-2026-44312|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2xgq-q749-89fq", "level": "warning", "message": {"text": "aws-sdk-s3: GHSA-2xgq-q749-89fq"}, "properties": {"repobilityId": 118175, "scanner": "osv-scanner", "fingerprint": "698cff9b91abafbcb51dbd2c21a0c054caa39c1a51d61ae3b5521d8436b1c6c5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-14762"], "package": "aws-sdk-s3", "rule_id": "GHSA-2xgq-q749-89fq", "scanner": "osv-scanner", "correlation_key": "vuln|aws-sdk-s3|CVE-2025-14762|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cg4j-q9v8-6v38", "level": "warning", "message": {"text": "activesupport: GHSA-cg4j-q9v8-6v38"}, "properties": {"repobilityId": 118173, "scanner": "osv-scanner", "fingerprint": "7f870d56bdca06424598fc4bf1a73a1c29b3581a8ce83eff5e600bb975525fd3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33169"], "package": "activesupport", "rule_id": "GHSA-cg4j-q9v8-6v38", "scanner": "osv-scanner", "correlation_key": "vuln|activesupport|CVE-2026-33169|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cg4j-q9v8-6v38"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1358fe23c6c5b3c43d9b163deea64a65d638deebf3db3b80ad4d589bc6e50c6a", "7f870d56bdca06424598fc4bf1a73a1c29b3581a8ce83eff5e600bb975525fd3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-89vf-4333-qx8v", "level": "warning", "message": {"text": "activesupport: GHSA-89vf-4333-qx8v"}, "properties": {"repobilityId": 118172, "scanner": "osv-scanner", "fingerprint": "973c343e6b2b9818bf2910ad0d50812f56fbf422270106ccf91654e826f0269f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33170"], "package": "activesupport", "rule_id": "GHSA-89vf-4333-qx8v", "scanner": "osv-scanner", "correlation_key": "vuln|activesupport|CVE-2026-33170|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-89vf-4333-qx8v"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["973c343e6b2b9818bf2910ad0d50812f56fbf422270106ccf91654e826f0269f", "c763f145530f61c14473903ef2d98f790a8a340a08d77e168ea4ee5af9b33fdf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2j26-frm8-cmj9", "level": "warning", "message": {"text": "activesupport: GHSA-2j26-frm8-cmj9"}, "properties": {"repobilityId": 118171, "scanner": "osv-scanner", "fingerprint": "b6cd171f9a9dbff4b6e76ac14072624502f90de3880e99bd4bcf391ba49488ec", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33176"], "package": "activesupport", "rule_id": "GHSA-2j26-frm8-cmj9", "scanner": "osv-scanner", "correlation_key": "vuln|activesupport|CVE-2026-33176|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-2j26-frm8-cmj9"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["884cdfbd316b93efbee279357f3e94246d5843c22d24c6a9aadce1d68888e28b", "b6cd171f9a9dbff4b6e76ac14072624502f90de3880e99bd4bcf391ba49488ec"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r46p-8f7g-vvvg", "level": "warning", "message": {"text": "activestorage: GHSA-r46p-8f7g-vvvg"}, "properties": {"repobilityId": 118170, "scanner": "osv-scanner", "fingerprint": "a034281077b5944c5665b1e0eac57ff7335125cd5ad7dfc488a55d7c1b9179d3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33174"], "package": "activestorage", "rule_id": "GHSA-r46p-8f7g-vvvg", "scanner": "osv-scanner", "correlation_key": "vuln|activestorage|CVE-2026-33174|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r46p-8f7g-vvvg"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a034281077b5944c5665b1e0eac57ff7335125cd5ad7dfc488a55d7c1b9179d3", "e7027a650250408e15f7c260dd2431df110a216ff2fecc57c4d31ef3a9e0d500"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qcfx-2mfw-w4cg", "level": "warning", "message": {"text": "activestorage: GHSA-qcfx-2mfw-w4cg"}, "properties": {"repobilityId": 118169, "scanner": "osv-scanner", "fingerprint": "7aeb62b0806b89aaa55b741c94434ee74981cea8a4a314d250d98c489c46fbd5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33173"], "package": "activestorage", "rule_id": "GHSA-qcfx-2mfw-w4cg", "scanner": "osv-scanner", "correlation_key": "vuln|activestorage|CVE-2026-33173|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qcfx-2mfw-w4cg"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["7aeb62b0806b89aaa55b741c94434ee74981cea8a4a314d250d98c489c46fbd5", "b5bfa8cf38926436b1952378b758001cb61557cd5d37cc6fae3f6abc7ca8d1dc"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73f9-jhhh-hr5m", "level": "warning", "message": {"text": "activestorage: GHSA-73f9-jhhh-hr5m"}, "properties": {"repobilityId": 118166, "scanner": "osv-scanner", "fingerprint": "daabd66d7957517fc96ec2ea6e8c3f5b9a6dd0bf3ca014a458029b4cab693d43", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33202"], "package": "activestorage", "rule_id": "GHSA-73f9-jhhh-hr5m", "scanner": "osv-scanner", "correlation_key": "vuln|activestorage|CVE-2026-33202|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-73f9-jhhh-hr5m"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["c0be97b256107d66110960c0101e36faea237976b901d4f966010d5ad7c4ce1d", "daabd66d7957517fc96ec2ea6e8c3f5b9a6dd0bf3ca014a458029b4cab693d43"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 118112, "scanner": "repobility-docker", "fingerprint": "520fa5b1d21d63d80540b1e24932bf150c3ea05c6ae080d3cb049a2b3e5e3ca5", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "cache", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|520fa5b1d21d63d80540b1e24932bf150c3ea05c6ae080d3cb049a2b3e5e3ca5", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 118110, "scanner": "repobility-docker", "fingerprint": "8d6b84672600f28c3de85e3f4230a3c6843f4231fb5ab36db0897b1bd7aafda5", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|8d6b84672600f28c3de85e3f4230a3c6843f4231fb5ab36db0897b1bd7aafda5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 118105, "scanner": "repobility-threat-engine", "fingerprint": "f49de0818103fc3386c07ad2a382d6f5fe6ad1a7073ce8c1a2f7403300b1241d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: 'http://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f49de0818103fc3386c07ad2a382d6f5fe6ad1a7073ce8c1a2f7403300b1241d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/db/seeds.rb"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 118103, "scanner": "repobility-threat-engine", "fingerprint": "f437077748ba375e0320c1a6e67714c749f0bfecdbbc1ef93be41e012909cc04", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "config.consider_all_requests_local       = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f437077748ba375e0320c1a6e67714c749f0bfecdbbc1ef93be41e012909cc04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/environments/test.rb"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 118102, "scanner": "repobility-threat-engine", "fingerprint": "45635c31f43fd8d17fccc959a25215ac658ae2b93db89d0f41daa61931401714", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|45635c31f43fd8d17fccc959a25215ac658ae2b93db89d0f41daa61931401714"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/environments/development.rb"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 118101, "scanner": "repobility-threat-engine", "fingerprint": "e54f3e19bd1b7fb02378e32aed1697240c8a0b6088eec40cce24f23173df6866", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def generate_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|10|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/models/concerns/tokenable.rb"}, "region": {"startLine": 10}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chai` is 5 major version(s) behind (1.8.1 -> 6.2.2)"}, "properties": {"repobilityId": 118077, "scanner": "repobility-dependency-currency", "fingerprint": "fdd144415aa8c00f4a2e7c269bec438064e2a57ef7d800dadf4dc211cd497f15", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "5 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.2.2", "correlation_key": "fp|fdd144415aa8c00f4a2e7c269bec438064e2a57ef7d800dadf4dc211cd497f15", "current_version": "1.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `body-parser` is 1 major version(s) behind (1.20.3 -> 2.2.2)"}, "properties": {"repobilityId": 118076, "scanner": "repobility-dependency-currency", "fingerprint": "ffa235c07b9cdd990c16c78a11afc75e6f942ddafc932de72d353d65cb8d805d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "body-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.2.2", "correlation_key": "fp|ffa235c07b9cdd990c16c78a11afc75e6f942ddafc932de72d353d65cb8d805d", "current_version": "1.20.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 118258, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Rails"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-52f5-9888-hmc6", "level": "note", "message": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "properties": {"repobilityId": 118237, "scanner": "osv-scanner", "fingerprint": "e449d86b5778f891bea540cd5ed6a4fbbfb0e62ded660309400bc601f030d3f7", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-54798"], "package": "tmp", "rule_id": "GHSA-52f5-9888-hmc6", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2025-54798|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w7fw-mjwx-w883", "level": "note", "message": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "properties": {"repobilityId": 118232, "scanner": "osv-scanner", "fingerprint": "603461341ea6ea95edd4067d6ed6c715df0aa0cfb0c91dd5f2e8e59793e04b86", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2391"], "package": "qs", "rule_id": "GHSA-w7fw-mjwx-w883", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-2391|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 118216, "scanner": "osv-scanner", "fingerprint": "5c2c1ad5c7bd3ea691ac8e0516bcf26458f4755534a7277bfeaeb10c3f7280f9", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pxg6-pf52-xh8x", "level": "note", "message": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "properties": {"repobilityId": 118215, "scanner": "osv-scanner", "fingerprint": "ec65bd707c27bc8a7236f64f9ecf55dfbf20440a5a54e3bea5dc49d0d8379046", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47764"], "package": "cookie", "rule_id": "GHSA-pxg6-pf52-xh8x", "scanner": "osv-scanner", "correlation_key": "vuln|cookie|CVE-2024-47764|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 118214, "scanner": "osv-scanner", "fingerprint": "580a6c5bf5ca8177ea3a45244b7b0cda90930c246743a6ce1bd9a224b8c313a0", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j4pr-3wm6-xx2r", "level": "note", "message": {"text": "uri: GHSA-j4pr-3wm6-xx2r"}, "properties": {"repobilityId": 118212, "scanner": "osv-scanner", "fingerprint": "feb03095a73530c123fe9f7d4a8dce47bf7cfaebd3050508d347b3d61299a9b4", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-61594"], "package": "uri", "rule_id": "GHSA-j4pr-3wm6-xx2r", "scanner": "osv-scanner", "correlation_key": "vuln|uri|CVE-2025-27221|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5rv5-xj5j-3484", "level": "note", "message": {"text": "faraday: GHSA-5rv5-xj5j-3484"}, "properties": {"repobilityId": 118206, "scanner": "osv-scanner", "fingerprint": "658ce856cd734bdbc83d47558311a8aae94bb814a249ebdfb2f3d46e8ad2f8d1", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33637"], "package": "faraday", "rule_id": "GHSA-5rv5-xj5j-3484", "scanner": "osv-scanner", "correlation_key": "vuln|faraday|CVE-2026-33637|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2f4-jgmc-q2r5", "level": "note", "message": {"text": "rexml: GHSA-c2f4-jgmc-q2r5"}, "properties": {"repobilityId": 118201, "scanner": "osv-scanner", "fingerprint": "0bb9dd0595fbc6724cd1ae434577f443c2b844c008e9c2f58112456766322f3c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58767"], "package": "rexml", "rule_id": "GHSA-c2f4-jgmc-q2r5", "scanner": "osv-scanner", "correlation_key": "vuln|rexml|CVE-2025-58767|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q2mw-fvj9-vvcw", "level": "note", "message": {"text": "net-imap: GHSA-q2mw-fvj9-vvcw"}, "properties": {"repobilityId": 118184, "scanner": "osv-scanner", "fingerprint": "a13ce028942b030f371e57a50fe0f3174218e309c27c2d060f498ab94576c97e", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-42245"], "package": "net-imap", "rule_id": "GHSA-q2mw-fvj9-vvcw", "scanner": "osv-scanner", "correlation_key": "vuln|net-imap|CVE-2026-42245|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-q2mw-fvj9-vvcw"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["20566dd959271258a6dd7a7f488b265799ce05a2c08c0fb71f57d07c6729b7ac", "a13ce028942b030f371e57a50fe0f3174218e309c27c2d060f498ab94576c97e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9fm-f462-ggrg", "level": "note", "message": {"text": "activestorage: GHSA-p9fm-f462-ggrg"}, "properties": {"repobilityId": 118168, "scanner": "osv-scanner", "fingerprint": "bd96d6102b93b899bbc2a5d5ed412d6d5867fabeba667a9a019215b5ee526d48", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33658"], "package": "activestorage", "rule_id": "GHSA-p9fm-f462-ggrg", "scanner": "osv-scanner", "correlation_key": "vuln|activestorage|CVE-2026-33658|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-p9fm-f462-ggrg"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["013aca9237b4148b93ed74a7c095d3bc73effa32ed7c513b17c1c2fbfaeff068", "bd96d6102b93b899bbc2a5d5ed412d6d5867fabeba667a9a019215b5ee526d48"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v55j-83pf-r9cq", "level": "note", "message": {"text": "actionview: GHSA-v55j-83pf-r9cq"}, "properties": {"repobilityId": 118165, "scanner": "osv-scanner", "fingerprint": "55bc216789da9e49a659c842b4d80175933553d278ef5e6a19436bcd5d2c4d83", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33168"], "package": "actionview", "rule_id": "GHSA-v55j-83pf-r9cq", "scanner": "osv-scanner", "correlation_key": "vuln|actionview|CVE-2026-33168|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-v55j-83pf-r9cq"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["55bc216789da9e49a659c842b4d80175933553d278ef5e6a19436bcd5d2c4d83", "67e51e2d444ff3f7a93bd04354ad0f0eb56bfd28ea71ecd4071efa2ac39a6ebe"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 118113, "scanner": "repobility-docker", "fingerprint": "0bc65efc68ce7248a6a566957bd3c3d63b04cc56b8b3c30db0181248c1536fa6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "cache", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|0bc65efc68ce7248a6a566957bd3c3d63b04cc56b8b3c30db0181248c1536fa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC011", "level": "note", "message": {"text": "Database service publishes a loopback host port"}, "properties": {"repobilityId": 118111, "scanner": "repobility-docker", "fingerprint": "196ca8de670bf1df3e094ffae68b69e48eb061b3db235e1adb6bdc020dd0a6b3", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database-like image publishes only loopback host ports.", "evidence": {"ports": [{"raw": "127.0.0.1:6379:6379", "target": "6379", "host_ip": "127.0.0.1", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "cache", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "loopback", "correlation_key": "fp|196ca8de670bf1df3e094ffae68b69e48eb061b3db235e1adb6bdc020dd0a6b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC011", "level": "note", "message": {"text": "Database service publishes a loopback host port"}, "properties": {"repobilityId": 118108, "scanner": "repobility-docker", "fingerprint": "94c80d4628127a0ff312ae1c0267545cba96a4707d23583fc8fd92da545a799d", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database-like image publishes only loopback host ports.", "evidence": {"ports": [{"raw": "127.0.0.1:5432:5432", "target": "5432", "host_ip": "127.0.0.1", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "loopback", "correlation_key": "fp|94c80d4628127a0ff312ae1c0267545cba96a4707d23583fc8fd92da545a799d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118046, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d92a78960b4e6952164afe02bb6256fa877ebd19172cb42f20f614792de5034b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/spec/views/cookbooks/index.atom.builder_spec.rb", "duplicate_line": 5, "correlation_key": "fp|d92a78960b4e6952164afe02bb6256fa877ebd19172cb42f20f614792de5034b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/spec/views/users/followed_cookbook_activity.atom.builder_spec.rb"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118045, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d1e74c5fb14f0b2bf763cd4f30e58e0fd581da2e5f09e781fb82065d8a5a3dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/spec/api/user_show_spec.rb", "duplicate_line": 53, "correlation_key": "fp|5d1e74c5fb14f0b2bf763cd4f30e58e0fd581da2e5f09e781fb82065d8a5a3dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/spec/views/api/v1/users/show.json.jbuilder_spec.rb"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118044, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3969ee6ec785ce77225f1a629f80ec2c9cd332f685c98c87020034c45d337165", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/spec/controllers/cookbooks_controller_spec.rb", "duplicate_line": 126, "correlation_key": "fp|3969ee6ec785ce77225f1a629f80ec2c9cd332f685c98c87020034c45d337165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/spec/models/cookbook_spec.rb"}, "region": {"startLine": 585}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118043, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8140dbf8a4ae5f95291df5ca2d7081bc167cb2177b23ef9f76975b214c8c6f43", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/spec/extractors/chef_oauth2_extractor_spec.rb", "duplicate_line": 4, "correlation_key": "fp|8140dbf8a4ae5f95291df5ca2d7081bc167cb2177b23ef9f76975b214c8c6f43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/spec/extractors/github_extractor_spec.rb"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118042, "scanner": "repobility-ai-code-hygiene", "fingerprint": "61159f2c91d6c2fc3a10569cf6e15d1b196dee29c15b496c7156a868faaa6525", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/spec/api/cookbook_contingent_spec.rb", "duplicate_line": 20, "correlation_key": "fp|61159f2c91d6c2fc3a10569cf6e15d1b196dee29c15b496c7156a868faaa6525"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/spec/api/cookbook_show_spec.rb"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118041, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06fb706fa877d51bf6cd60481e8a730e4aab9cec742900a5a8ac5fe0444ec5f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/engines/fieri/spec/models/cookstyle_worker_spec.rb", "duplicate_line": 15, "correlation_key": "fp|06fb706fa877d51bf6cd60481e8a730e4aab9cec742900a5a8ac5fe0444ec5f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/spec/models/no_binaries_worker_spec.rb"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118040, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a090ab69bf6450162911c73311e52680a3f0f040d6a8affef37159f6aba0a8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/config/environments/development.rb", "duplicate_line": 2, "correlation_key": "fp|6a090ab69bf6450162911c73311e52680a3f0f040d6a8affef37159f6aba0a8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/spec/dummy/config/environments/development.rb"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118039, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f2e8ace5809467130d9319cd9dea22c028ccfc3d1c01e04ab4c24d4bd2f3eacd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/app/assets/javascripts/collaborators.js", "duplicate_line": 4, "correlation_key": "fp|f2e8ace5809467130d9319cd9dea22c028ccfc3d1c01e04ab4c24d4bd2f3eacd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/assets/javascripts/groups.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118038, "scanner": "repobility-ai-code-hygiene", "fingerprint": "333914042b557475b9d5a906c9e3f1bfef0bc048e9046fdb3503c62d5827491c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/app/assets/javascripts/collaborators.js", "duplicate_line": 4, "correlation_key": "fp|333914042b557475b9d5a906c9e3f1bfef0bc048e9046fdb3503c62d5827491c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/assets/javascripts/group_members.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118037, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bb12e3092ac437990ada71fdae39d2f25fee32e6721cb9cd8ab8fef19debb630", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/supermarket/app/assets/javascripts/collaborators.js", "duplicate_line": 4, "correlation_key": "fp|bb12e3092ac437990ada71fdae39d2f25fee32e6721cb9cd8ab8fef19debb630"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/assets/javascripts/cookbookDeprecate.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118036, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7410da9baf7ad8a910c77b59e74df3d7b3a729b0148892e968c58e1430905f8b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "omnibus/cookbooks/omnibus-supermarket/recipes/postgresql-external.rb", "duplicate_line": 1, "correlation_key": "fp|7410da9baf7ad8a910c77b59e74df3d7b3a729b0148892e968c58e1430905f8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "omnibus/cookbooks/omnibus-supermarket/recipes/postgresql.rb"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 118104, "scanner": "repobility-threat-engine", "fingerprint": "d915e2a0c96f2fec015daf095dde4e8af77bb3e8ffbac4e09358d96c5bb21948", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d915e2a0c96f2fec015daf095dde4e8af77bb3e8ffbac4e09358d96c5bb21948"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/environments/development.rb"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC109", "level": "none", "message": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 118098, "scanner": "repobility-threat-engine", "fingerprint": "aff18d5fad533f15ff10726e035bbb09d8593aad24067c6e10691acc8c6f4d48", "category": "csrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC109", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|aff18d5fad533f15ff10726e035bbb09d8593aad24067c6e10691acc8c6f4d48"}}}, {"ruleId": "SEC097", "level": "none", "message": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 118094, "scanner": "repobility-threat-engine", "fingerprint": "357064e2635f5bac3c146d2f389bce8596ef5e1dd57a4d43b0a00bdd31a35836", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC097", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|357064e2635f5bac3c146d2f389bce8596ef5e1dd57a4d43b0a00bdd31a35836"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 118090, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 118086, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 118085, "scanner": "repobility-threat-engine", "fingerprint": "71bd3486a37686cf0b778044a756e599087b2dd626d9e9b829fc058efd417574", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|71bd3486a37686cf0b778044a756e599087b2dd626d9e9b829fc058efd417574"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/initializers/content_security_policy.rb"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 118084, "scanner": "repobility-threat-engine", "fingerprint": "6eda1be649280ee94ef9d37a0edb5cb86d737b9633f93b5f4761ab957e8f3525", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6eda1be649280ee94ef9d37a0edb5cb86d737b9633f93b5f4761ab957e8f3525"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/models/universe_cache.rb"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 118083, "scanner": "repobility-threat-engine", "fingerprint": "8a2fc3e6f16c50b1cc27367ae289193ad929a2cc7834a2877e1d3c25f378b189", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a2fc3e6f16c50b1cc27367ae289193ad929a2cc7834a2877e1d3c25f378b189"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "redis/plan.sh"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 118082, "scanner": "repobility-threat-engine", "fingerprint": "649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a"}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `karma-spec-reporter` is patch version(s) behind (0.0.34 -> 0.0.36)"}, "properties": {"repobilityId": 118078, "scanner": "repobility-dependency-currency", "fingerprint": "6e4cbef0f389fe7abf0bc0177e2e42143c8924e5d90ca379704bc46db420f5c1", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "karma-spec-reporter", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.0.36", "correlation_key": "fp|6e4cbef0f389fe7abf0bc0177e2e42143c8924e5d90ca379704bc46db420f5c1", "current_version": "0.0.34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /cookbooks/:id/transfer_ownership."}, "properties": {"repobilityId": 118242, "scanner": "repobility-access-control", "fingerprint": "55181d89125b477c65fd205f01ac3d02e895b65c28fe1f1fceb2a050fb0271ab", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookbooks/:id/transfer_ownership", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|token|56|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/routes.rb"}, "region": {"startLine": 56}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 118238, "scanner": "osv-scanner", "fingerprint": "3d3fb49688281b20fc26b2ae1c52daab59f545d7e83109229056da67da392602", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-677m-j7p3-52f9", "level": "error", "message": {"text": "socket.io-parser: GHSA-677m-j7p3-52f9"}, "properties": {"repobilityId": 118236, "scanner": "osv-scanner", "fingerprint": "4c6536068f5406679b0af144de9fd8ee9317356d2cd60a532d4205377500f9a4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33151"], "package": "socket.io-parser", "rule_id": "GHSA-677m-j7p3-52f9", "scanner": "osv-scanner", "correlation_key": "vuln|socket.io-parser|CVE-2026-33151|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 118233, "scanner": "osv-scanner", "fingerprint": "27a8d23dfe747661b7a9b3531c6da1f51eb5c93a8291d590d31b37df6505aede", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 118229, "scanner": "osv-scanner", "fingerprint": "ff27f18cbf17774dcd16edf0e9cb1d1ef89bfd901aaf5d303303af31b09c2e57", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 118226, "scanner": "osv-scanner", "fingerprint": "644f13a84252695ed0169e03a327ba38f69234187301592e58b52ca5cdff7145", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 118225, "scanner": "osv-scanner", "fingerprint": "2a0c2f049337edd114377acb838fc6c20d5a8a9fb79c90a4e98aac1e8abe2d55", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 118224, "scanner": "osv-scanner", "fingerprint": "3ba4ccf9dd073c28e69f1eeedd9daed31a5f03033f38cd060bff144b319106a1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 118222, "scanner": "osv-scanner", "fingerprint": "85c02eac88faa2e14118449fd351dd5d3627ad3ffac6cdee33e001e58023bf5d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 118218, "scanner": "osv-scanner", "fingerprint": "1a68d8ac63ebd2e351d2faf1c27f0ced643dea1607ddfd8f67627dcdf6a92588", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 118217, "scanner": "osv-scanner", "fingerprint": "05ba4974eec5696f97164999f5adc89d5d796cbf307f67ade2f80add68eaacbd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6x5-cg8r-vv6x", "level": "error", "message": {"text": "rack: GHSA-v6x5-cg8r-vv6x"}, "properties": {"repobilityId": 118210, "scanner": "osv-scanner", "fingerprint": "bfcb85b055702e84c541616c3722f5d932c7c763896e00e5f3ce12949ef61644", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34827"], "package": "rack", "rule_id": "GHSA-v6x5-cg8r-vv6x", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34827|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c4r5-fxqw-vh93", "level": "error", "message": {"text": "ruby-lsp: GHSA-c4r5-fxqw-vh93"}, "properties": {"repobilityId": 118202, "scanner": "osv-scanner", "fingerprint": "6dc10c8eaedb44c7cd4c80ac6a0a3ded9e379f8f1fde484ae2a76350101fab32", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34060"], "package": "ruby-lsp", "rule_id": "GHSA-c4r5-fxqw-vh93", "scanner": "osv-scanner", "correlation_key": "vuln|ruby-lsp|CVE-2026-34060|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v569-hp3g-36wr", "level": "error", "message": {"text": "rack: GHSA-v569-hp3g-36wr"}, "properties": {"repobilityId": 118197, "scanner": "osv-scanner", "fingerprint": "c94bbec7a4f172fefd6ac83ca26017dc81349cd3c0918ddb54e01eb7fd1bb1f2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34230"], "package": "rack", "rule_id": "GHSA-v569-hp3g-36wr", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34230|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-v569-hp3g-36wr"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["7ad98e84f69db685ca3d992120bf208b2b5253017bddd1ba80d18cf8cf884d9d", "c94bbec7a4f172fefd6ac83ca26017dc81349cd3c0918ddb54e01eb7fd1bb1f2"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mxw3-3hh2-x2mh", "level": "error", "message": {"text": "rack: GHSA-mxw3-3hh2-x2mh"}, "properties": {"repobilityId": 118193, "scanner": "osv-scanner", "fingerprint": "889c7f221e9aa7d2a84ef78c1a9f84c39a52caceb25658090dad560c055e0dcf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-22860"], "package": "rack", "rule_id": "GHSA-mxw3-3hh2-x2mh", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-22860|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mxw3-3hh2-x2mh"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0cd0300c87405aeedf6c2fbee2696621c17021f21175a879209bef4d55e32f54", "889c7f221e9aa7d2a84ef78c1a9f84c39a52caceb25658090dad560c055e0dcf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h2jq-g4cq-5ppq", "level": "error", "message": {"text": "rack: GHSA-h2jq-g4cq-5ppq"}, "properties": {"repobilityId": 118192, "scanner": "osv-scanner", "fingerprint": "5d5439acb2297d653cb9dcf71ada69342b533aa68b41a2817c3ead9b3086a08a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34785"], "package": "rack", "rule_id": "GHSA-h2jq-g4cq-5ppq", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34785|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-h2jq-g4cq-5ppq"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5d5439acb2297d653cb9dcf71ada69342b533aa68b41a2817c3ead9b3086a08a", "d0a19242043d777b8d86999a0feb27e7c3ec1bf55f9c30ac6bc60c022640f642"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8vqr-qjwx-82mw", "level": "error", "message": {"text": "rack: GHSA-8vqr-qjwx-82mw"}, "properties": {"repobilityId": 118191, "scanner": "osv-scanner", "fingerprint": "55487a67faeeb635ef746457a737d867d31c4042e0f33b3d5f397f3be517309e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34829"], "package": "rack", "rule_id": "GHSA-8vqr-qjwx-82mw", "scanner": "osv-scanner", "correlation_key": "vuln|rack|CVE-2026-34829|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-8vqr-qjwx-82mw"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["43fd3d078acead79c4ac94db7b02a280aacd78c1b7c4b31d927430d0d377f6ee", "55487a67faeeb635ef746457a737d867d31c4042e0f33b3d5f397f3be517309e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c4rq-3m3g-8wgx", "level": "error", "message": {"text": "nokogiri: GHSA-c4rq-3m3g-8wgx"}, "properties": {"repobilityId": 118186, "scanner": "osv-scanner", "fingerprint": "32e09a50e38d8f7d9e450324126eb4e18ad09431889847883020604152891578", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "nokogiri", "rule_id": "GHSA-c4rq-3m3g-8wgx", "scanner": "osv-scanner", "correlation_key": "vuln|nokogiri|GHSA-C4RQ-3M3G-8WGX|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-c4rq-3m3g-8wgx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["20ec4cb1ac1a443b133a10e5fdf666f2372bcb6747e6bc18cb838420c2630c19", "32e09a50e38d8f7d9e450324126eb4e18ad09431889847883020604152891578"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vcgp-9326-pqcp", "level": "error", "message": {"text": "net-imap: GHSA-vcgp-9326-pqcp"}, "properties": {"repobilityId": 118185, "scanner": "osv-scanner", "fingerprint": "3fb6979700288226123ce7ef8d63226ead32804fc0b493579da1da839eaae944", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-42246"], "package": "net-imap", "rule_id": "GHSA-vcgp-9326-pqcp", "scanner": "osv-scanner", "correlation_key": "vuln|net-imap|CVE-2026-42246|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-vcgp-9326-pqcp"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3fb6979700288226123ce7ef8d63226ead32804fc0b493579da1da839eaae944", "6a305bee05ca5d92de9106acc06e20bc4a06728aeaecfb21ea8cc147174dcdb9"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c32j-vqhx-rx3x", "level": "error", "message": {"text": "jwt: GHSA-c32j-vqhx-rx3x"}, "properties": {"repobilityId": 118180, "scanner": "osv-scanner", "fingerprint": "bb2843daf0a13e2ab1b5934585ccaf1effad7d1ebd0b3f8646f37aebe9711e2b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45363"], "package": "jwt", "rule_id": "GHSA-c32j-vqhx-rx3x", "scanner": "osv-scanner", "correlation_key": "vuln|jwt|CVE-2026-44351|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q339-8rmv-2mhv", "level": "error", "message": {"text": "erb: GHSA-q339-8rmv-2mhv"}, "properties": {"repobilityId": 118177, "scanner": "osv-scanner", "fingerprint": "d012ddf3a46e8d104bfbf21d83f74cb1432563b80a57f5ae03f127849e4f5d6a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41316"], "package": "erb", "rule_id": "GHSA-q339-8rmv-2mhv", "scanner": "osv-scanner", "correlation_key": "vuln|erb|CVE-2026-41316|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-q339-8rmv-2mhv"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["d012ddf3a46e8d104bfbf21d83f74cb1432563b80a57f5ae03f127849e4f5d6a", "fb5c5ee134f394f8de10af1605995685bc8271b309eb0fdb7be91e736e8014f5"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h27x-rffw-24p4", "level": "error", "message": {"text": "addressable: GHSA-h27x-rffw-24p4"}, "properties": {"repobilityId": 118174, "scanner": "osv-scanner", "fingerprint": "d67c86fd6379379d2c4ab6b2dd62a4a22b38c703ae5ad3951a4c98d9400fc337", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-35611"], "package": "addressable", "rule_id": "GHSA-h27x-rffw-24p4", "scanner": "osv-scanner", "correlation_key": "vuln|addressable|CVE-2026-35611|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-h27x-rffw-24p4"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["d67c86fd6379379d2c4ab6b2dd62a4a22b38c703ae5ad3951a4c98d9400fc337", "dc9998e415f94b17eef45ce14cfac2bd593593e463f77723d649f17fd2f27a50"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9xrj-h377-fr87", "level": "error", "message": {"text": "activestorage: GHSA-9xrj-h377-fr87"}, "properties": {"repobilityId": 118167, "scanner": "osv-scanner", "fingerprint": "92f051bc5510b551cf58a5e33722214ce0d1bf4c2862bf17c3d53830f99a831f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33195"], "package": "activestorage", "rule_id": "GHSA-9xrj-h377-fr87", "scanner": "osv-scanner", "correlation_key": "vuln|activestorage|CVE-2026-33195|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-9xrj-h377-fr87"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["7719374045b751b4271e16ae5b7fc97df0ce41a88b619926a18d2d28e44e6861", "92f051bc5510b551cf58a5e33722214ce0d1bf4c2862bf17c3d53830f99a831f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5039", "level": "error", "message": {"text": "stdlib: GO-2026-5039"}, "properties": {"repobilityId": 118164, "scanner": "osv-scanner", "fingerprint": "600fb71954bf544248816d778e32eb23b7846ef35c5fb86f90d7458143f95d28", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42507", "CVE-2026-42507"], "package": "stdlib", "rule_id": "GO-2026-5039", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42507|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5038", "level": "error", "message": {"text": "stdlib: GO-2026-5038"}, "properties": {"repobilityId": 118163, "scanner": "osv-scanner", "fingerprint": "a3f411113ef01750a49968518b77324691bba7c7c087d16d8a889a00b1d5567d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42504", "CVE-2026-42504"], "package": "stdlib", "rule_id": "GO-2026-5038", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42504|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5037", "level": "error", "message": {"text": "stdlib: GO-2026-5037"}, "properties": {"repobilityId": 118162, "scanner": "osv-scanner", "fingerprint": "395fbe281cbd9ac5987a7b707c31257b4b11a2bec718defc784574ec6e30e2bd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27145", "CVE-2026-27145"], "package": "stdlib", "rule_id": "GO-2026-5037", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27145|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4986", "level": "error", "message": {"text": "stdlib: GO-2026-4986"}, "properties": {"repobilityId": 118161, "scanner": "osv-scanner", "fingerprint": "ec5edefc0a93ecfac834c06656d5212873bf823f6127724708a65aab8b8961f8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39820", "CVE-2026-39820"], "package": "stdlib", "rule_id": "GO-2026-4986", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39820|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4982", "level": "error", "message": {"text": "stdlib: GO-2026-4982"}, "properties": {"repobilityId": 118160, "scanner": "osv-scanner", "fingerprint": "81a2c17972da589315e91d42496bbfad21c1b73a968c47252ac7e20d29d0a34a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39823", "CVE-2026-39823"], "package": "stdlib", "rule_id": "GO-2026-4982", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39823|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4981", "level": "error", "message": {"text": "stdlib: GO-2026-4981"}, "properties": {"repobilityId": 118159, "scanner": "osv-scanner", "fingerprint": "79c4fdbc84e37bd1d31733256dfc7db5c712ecd4481bb192f72f6c068baeba6b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33811", "CVE-2026-33811"], "package": "stdlib", "rule_id": "GO-2026-4981", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33811|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4980", "level": "error", "message": {"text": "stdlib: GO-2026-4980"}, "properties": {"repobilityId": 118158, "scanner": "osv-scanner", "fingerprint": "a3cd9942d1a52956078fe22ba5d07b0448690ed7f8f8c308974429a96fc23112", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39826", "CVE-2026-39826"], "package": "stdlib", "rule_id": "GO-2026-4980", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39826|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4977", "level": "error", "message": {"text": "stdlib: GO-2026-4977"}, "properties": {"repobilityId": 118157, "scanner": "osv-scanner", "fingerprint": "cf3f200674c404fb43fe993db03a56f31cab39567d7d80b69d0c0ca0102f34f2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42499", "CVE-2026-42499"], "package": "stdlib", "rule_id": "GO-2026-4977", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42499|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4976", "level": "error", "message": {"text": "stdlib: GO-2026-4976"}, "properties": {"repobilityId": 118156, "scanner": "osv-scanner", "fingerprint": "1179c4501e2937146e8f4ba34d72d16fdffca777d5eeeb9c2c2eed10969c242a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39825", "CVE-2026-39825"], "package": "stdlib", "rule_id": "GO-2026-4976", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39825|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4971", "level": "error", "message": {"text": "stdlib: GO-2026-4971"}, "properties": {"repobilityId": 118155, "scanner": "osv-scanner", "fingerprint": "034118cf89bbf9275789e3c27fc387f13e23d1f30e167824cf2712940e47da37", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39836", "CVE-2026-39836"], "package": "stdlib", "rule_id": "GO-2026-4971", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39836|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4947", "level": "error", "message": {"text": "stdlib: GO-2026-4947"}, "properties": {"repobilityId": 118154, "scanner": "osv-scanner", "fingerprint": "406b1a17bad9cd54e482ef0edda08bd94bbe2b709e5304ba010caccbc1367d02", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32280", "CVE-2026-32280"], "package": "stdlib", "rule_id": "GO-2026-4947", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32280|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4946", "level": "error", "message": {"text": "stdlib: GO-2026-4946"}, "properties": {"repobilityId": 118153, "scanner": "osv-scanner", "fingerprint": "907be506f563951c7448fd3d027d8c4efa27e571dbdd1b004416b225aec1e45c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32281", "CVE-2026-32281"], "package": "stdlib", "rule_id": "GO-2026-4946", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32281|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4918", "level": "error", "message": {"text": "stdlib: GO-2026-4918"}, "properties": {"repobilityId": 118152, "scanner": "osv-scanner", "fingerprint": "d633f6ec2baee79281b48424ea72f736f51e767e3244f493861c079d929363c1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33814", "CVE-2026-33814"], "package": "stdlib", "rule_id": "GO-2026-4918", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33814|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4870", "level": "error", "message": {"text": "stdlib: GO-2026-4870"}, "properties": {"repobilityId": 118151, "scanner": "osv-scanner", "fingerprint": "945fb8191d3a8e98b6094d2aa4c440c95dd988e0f9a1e69bd5136127acec40e2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32283", "CVE-2026-32283"], "package": "stdlib", "rule_id": "GO-2026-4870", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32283|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4869", "level": "error", "message": {"text": "stdlib: GO-2026-4869"}, "properties": {"repobilityId": 118150, "scanner": "osv-scanner", "fingerprint": "aec888207dfea9e8032065e6f5c53bf6c26b582573ec77e5cee5f743faeb415c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32288", "CVE-2026-32288"], "package": "stdlib", "rule_id": "GO-2026-4869", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32288|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4865", "level": "error", "message": {"text": "stdlib: GO-2026-4865"}, "properties": {"repobilityId": 118149, "scanner": "osv-scanner", "fingerprint": "ee3b160f70c2f4cb2b9410d72ea8085ebc4430c86a76bf963732bbfc26146fca", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32289", "CVE-2026-32289"], "package": "stdlib", "rule_id": "GO-2026-4865", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32289|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4864", "level": "error", "message": {"text": "stdlib: GO-2026-4864"}, "properties": {"repobilityId": 118148, "scanner": "osv-scanner", "fingerprint": "8f7b7dffc5631c83914bb68b0c4fd84dfd49dd9a19a4601653e1590769f200b5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32282", "CVE-2026-32282"], "package": "stdlib", "rule_id": "GO-2026-4864", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32282|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4603", "level": "error", "message": {"text": "stdlib: GO-2026-4603"}, "properties": {"repobilityId": 118147, "scanner": "osv-scanner", "fingerprint": "516ccbe40e242cbfd13518837f031c44f2b7bd418f55fca1df9af69e634aec99", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27142", "CVE-2026-27142"], "package": "stdlib", "rule_id": "GO-2026-4603", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27142|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4602", "level": "error", "message": {"text": "stdlib: GO-2026-4602"}, "properties": {"repobilityId": 118146, "scanner": "osv-scanner", "fingerprint": "202713e118bb4bf31a1c625edb99bf58aaac9b6c61d4e4ec0ee984daa8cee6ed", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27139", "CVE-2026-27139"], "package": "stdlib", "rule_id": "GO-2026-4602", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27139|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4601", "level": "error", "message": {"text": "stdlib: GO-2026-4601"}, "properties": {"repobilityId": 118145, "scanner": "osv-scanner", "fingerprint": "41f87ee3ae1f824610ab97254bf1084ee35ae5f977718704419a00ad8916b879", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-25679", "CVE-2026-25679"], "package": "stdlib", "rule_id": "GO-2026-4601", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-25679|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4403", "level": "error", "message": {"text": "stdlib: GO-2026-4403"}, "properties": {"repobilityId": 118144, "scanner": "osv-scanner", "fingerprint": "425a1b755ddbb600155294de24e28eb9d4eb84ca89676bfdc95ac4d77fc0a11f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-22873", "CVE-2025-22873"], "package": "stdlib", "rule_id": "GO-2026-4403", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-22873|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4342", "level": "error", "message": {"text": "stdlib: GO-2026-4342"}, "properties": {"repobilityId": 118143, "scanner": "osv-scanner", "fingerprint": "3d9258a0f6f4072cd85eb18759561255a890304103eb3fe39771ab320efaee07", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61728", "CVE-2025-61728"], "package": "stdlib", "rule_id": "GO-2026-4342", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61728|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4341", "level": "error", "message": {"text": "stdlib: GO-2026-4341"}, "properties": {"repobilityId": 118142, "scanner": "osv-scanner", "fingerprint": "7d07b0b1e95cce81e91ac47ae3c33eb1141da074337198707d9b5de99e5d12a2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61726", "CVE-2025-61726"], "package": "stdlib", "rule_id": "GO-2026-4341", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61726|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4340", "level": "error", "message": {"text": "stdlib: GO-2026-4340"}, "properties": {"repobilityId": 118141, "scanner": "osv-scanner", "fingerprint": "ae880741bd0ec3a7bb070a6b22166227a69c03cbc6b36a51d03f37a3ac764cc1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61730", "CVE-2025-61730"], "package": "stdlib", "rule_id": "GO-2026-4340", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61730|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4337", "level": "error", "message": {"text": "stdlib: GO-2026-4337"}, "properties": {"repobilityId": 118140, "scanner": "osv-scanner", "fingerprint": "3cd6afc4a904af4307e406d56d471746fb0d104dcb8fef681472a7339987b062", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-68121", "CVE-2025-68121"], "package": "stdlib", "rule_id": "GO-2026-4337", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-68121|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4175", "level": "error", "message": {"text": "stdlib: GO-2025-4175"}, "properties": {"repobilityId": 118139, "scanner": "osv-scanner", "fingerprint": "8596db9bd1f0d544dca5a33ae414daf9541058cc04ad1c7e657b4dfa7a5c46ed", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61727", "CVE-2025-61727"], "package": "stdlib", "rule_id": "GO-2025-4175", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61727|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4155", "level": "error", "message": {"text": "stdlib: GO-2025-4155"}, "properties": {"repobilityId": 118138, "scanner": "osv-scanner", "fingerprint": "f8ff4faeef1fa3ceedbbad2aae9f33f62762b24b75a9e0837e7f0c9b488345b8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61729", "CVE-2025-61729"], "package": "stdlib", "rule_id": "GO-2025-4155", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61729|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4015", "level": "error", "message": {"text": "stdlib: GO-2025-4015"}, "properties": {"repobilityId": 118137, "scanner": "osv-scanner", "fingerprint": "ffc974421f1408b902cfd4d3452a32378d9ff32e3421b39070e5f4b1d24c6125", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61724", "CVE-2025-61724"], "package": "stdlib", "rule_id": "GO-2025-4015", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61724|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4014", "level": "error", "message": {"text": "stdlib: GO-2025-4014"}, "properties": {"repobilityId": 118136, "scanner": "osv-scanner", "fingerprint": "6c898b1d0204611caa18c5de79043b16b7ccfb28aedfef163af084ed28cb28b1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58183", "CVE-2025-58183"], "package": "stdlib", "rule_id": "GO-2025-4014", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58183|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4013", "level": "error", "message": {"text": "stdlib: GO-2025-4013"}, "properties": {"repobilityId": 118135, "scanner": "osv-scanner", "fingerprint": "61e592f4c8fe38b9b519c4f232d6783dd467af7c8b3e8dc9a68cd4ebcb34e1d2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58188", "CVE-2025-58188"], "package": "stdlib", "rule_id": "GO-2025-4013", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58188|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4012", "level": "error", "message": {"text": "stdlib: GO-2025-4012"}, "properties": {"repobilityId": 118134, "scanner": "osv-scanner", "fingerprint": "36e927e725ab66d59521d450a0461a53d7a941cfb0f8cd58c726a51edeb9f854", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58186", "CVE-2025-58186"], "package": "stdlib", "rule_id": "GO-2025-4012", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58186|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4011", "level": "error", "message": {"text": "stdlib: GO-2025-4011"}, "properties": {"repobilityId": 118133, "scanner": "osv-scanner", "fingerprint": "7d437adfd65d2050d93249735c0a59a6385bebf46d35d5b766c7088633acbb3c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58185", "CVE-2025-58185"], "package": "stdlib", "rule_id": "GO-2025-4011", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58185|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4010", "level": "error", "message": {"text": "stdlib: GO-2025-4010"}, "properties": {"repobilityId": 118132, "scanner": "osv-scanner", "fingerprint": "ac578d90f44951dbf9a847b2a7d6cda022fa9b563c337968d93a5e038bcab67d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-47912", "CVE-2025-47912"], "package": "stdlib", "rule_id": "GO-2025-4010", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-47912|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4009", "level": "error", "message": {"text": "stdlib: GO-2025-4009"}, "properties": {"repobilityId": 118131, "scanner": "osv-scanner", "fingerprint": "a635cfeda1253a064bd8364cf98c31daadb8f788597ad918ed8b724c705cac5d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61723", "CVE-2025-61723"], "package": "stdlib", "rule_id": "GO-2025-4009", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61723|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4008", "level": "error", "message": {"text": "stdlib: GO-2025-4008"}, "properties": {"repobilityId": 118130, "scanner": "osv-scanner", "fingerprint": "4081545f012806e5dc9983c690072eb44d18c7610b8e868a13748de6907890c3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58189", "CVE-2025-58189"], "package": "stdlib", "rule_id": "GO-2025-4008", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58189|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4007", "level": "error", "message": {"text": "stdlib: GO-2025-4007"}, "properties": {"repobilityId": 118129, "scanner": "osv-scanner", "fingerprint": "f72cba3d16d067d0217aeb9afaeecd154b43da28a62cad1c81bbbc7c9dcc18a4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58187", "CVE-2025-58187"], "package": "stdlib", "rule_id": "GO-2025-4007", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58187|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4006", "level": "error", "message": {"text": "stdlib: GO-2025-4006"}, "properties": {"repobilityId": 118128, "scanner": "osv-scanner", "fingerprint": "e1072cd3f28689abc9127b6bbf0b68feb222774a4dd4d2ed565d0403fdd1debb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61725", "CVE-2025-61725"], "package": "stdlib", "rule_id": "GO-2025-4006", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61725|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3956", "level": "error", "message": {"text": "stdlib: GO-2025-3956"}, "properties": {"repobilityId": 118127, "scanner": "osv-scanner", "fingerprint": "3c2d16939c1b9e2397b3f6160d3cf7bc66027cf3cba8e9a64bbb37d1ed010a05", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-47906", "CVE-2025-47906"], "package": "stdlib", "rule_id": "GO-2025-3956", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-47906|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3849", "level": "error", "message": {"text": "stdlib: GO-2025-3849"}, "properties": {"repobilityId": 118126, "scanner": "osv-scanner", "fingerprint": "1fb8486acc0b27038ed63c429e2e6b5e0f013bd3feccc00db111dd8c262cd52a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-47907", "CVE-2025-47907"], "package": "stdlib", "rule_id": "GO-2025-3849", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-47907|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3751", "level": "error", "message": {"text": "stdlib: GO-2025-3751"}, "properties": {"repobilityId": 118125, "scanner": "osv-scanner", "fingerprint": "54c8cb8840e8172aaf900bcdf10172a987e099e4598d4c8ec507ff7b10c5d818", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-4673", "CVE-2025-4673"], "package": "stdlib", "rule_id": "GO-2025-3751", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-4673|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3750", "level": "error", "message": {"text": "stdlib: GO-2025-3750"}, "properties": {"repobilityId": 118124, "scanner": "osv-scanner", "fingerprint": "3be74d243ec0bf4abec0513c185877df9846d0508cc856d2db513da6fd3c853f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-0913", "CVE-2025-0913"], "package": "stdlib", "rule_id": "GO-2025-3750", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-0913|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3563", "level": "error", "message": {"text": "stdlib: GO-2025-3563"}, "properties": {"repobilityId": 118123, "scanner": "osv-scanner", "fingerprint": "bd47480d49598a5b69b171e9bab46ee7f27ff13c6d2790d2499807e013173158", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-22871", "CVE-2025-22871", "GHSA-g9pc-8g42-g6vq"], "package": "stdlib", "rule_id": "GO-2025-3563", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-22871|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3503", "level": "error", "message": {"text": "stdlib: GO-2025-3503"}, "properties": {"repobilityId": 118122, "scanner": "osv-scanner", "fingerprint": "e8f24999ceddb0ce25b9b98b0e24073cc0bcc694c5ef9c5e6d171f90ce70d4a5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-22870", "GHSA-qxp5-gwg8-xv66"], "package": "stdlib", "rule_id": "GO-2025-3503", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-22870|docs-chef-io/go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 118109, "scanner": "repobility-docker", "fingerprint": "da285fb2549e907732d0f147b2706c261b4df55a267ec4ac4dedd7bc34bbc56d", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|da285fb2549e907732d0f147b2706c261b4df55a267ec4ac4dedd7bc34bbc56d", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 118107, "scanner": "repobility-threat-engine", "fingerprint": "761d84c6eb3d12e0bc0c4cf26bcdc03c8c3799f6eb431268c580679b45f30abe", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "StrictHostKeyChecking=no", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|31|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/exec/shared.sh"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC080", "level": "error", "message": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "properties": {"repobilityId": 118106, "scanner": "repobility-threat-engine", "fingerprint": "e134aa6c0d8c54f68c910c24e35c7f30a14bdaf8818f0818bfeca6c8bc64739b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tar.extract(work_dir, perms: false)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC080", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e134aa6c0d8c54f68c910c24e35c7f30a14bdaf8818f0818bfeca6c8bc64739b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/app/models/cookbook_artifact.rb"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 118100, "scanner": "repobility-threat-engine", "fingerprint": "8d881e5332ddef5179b10ab7cb1b6100c5829dff5d87e761bfc857eec93c154d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d881e5332ddef5179b10ab7cb1b6100c5829dff5d87e761bfc857eec93c154d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/models/user.rb"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 118099, "scanner": "repobility-threat-engine", "fingerprint": "24caa06750fa1a0f5780eb35335497d75601b60a315ed695d7e79dde359c45d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|24caa06750fa1a0f5780eb35335497d75601b60a315ed695d7e79dde359c45d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/helpers/users_helper.rb"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC109", "level": "error", "message": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled: Rails CSRF protection turned off at controller level. Any state-changing endpoint becomes a CSRF target."}, "properties": {"repobilityId": 118097, "scanner": "repobility-threat-engine", "fingerprint": "93e8ef90a41809d31ff23e1a8a9d5a1974a4c0747f8f03ede6782d88fd772e02", "category": "csrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC109", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|93e8ef90a41809d31ff23e1a8a9d5a1974a4c0747f8f03ede6782d88fd772e02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/controllers/sessions_controller.rb"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC109", "level": "error", "message": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled: Rails CSRF protection turned off at controller level. Any state-changing endpoint becomes a CSRF target."}, "properties": {"repobilityId": 118096, "scanner": "repobility-threat-engine", "fingerprint": "d5c3d8ff3575379e5e2a5aa0b95c1ceb984dec61faa10e925a2c30495202219b", "category": "csrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC109", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5c3d8ff3575379e5e2a5aa0b95c1ceb984dec61faa10e925a2c30495202219b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/controllers/collaborators_controller.rb"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC109", "level": "error", "message": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled: Rails CSRF protection turned off at controller level. Any state-changing endpoint becomes a CSRF target."}, "properties": {"repobilityId": 118095, "scanner": "repobility-threat-engine", "fingerprint": "f7482e719442edd9d08d5134371b1ec831080bf779146866d805816cfb1067a7", "category": "csrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC109", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f7482e719442edd9d08d5134371b1ec831080bf779146866d805816cfb1067a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/controllers/api/v1_controller.rb"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC097", "level": "error", "message": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing: Rails app disables SSL or CSRF protection. Concept from Brakeman check_force_ssl / check_forgery_setting \u2014 re-authored from OWASP A07."}, "properties": {"repobilityId": 118093, "scanner": "repobility-threat-engine", "fingerprint": "d7788fd524cf5acb1abb43ccf08b1cad6b9f15bbc6feed5eda64727e641b796e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC097", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d7788fd524cf5acb1abb43ccf08b1cad6b9f15bbc6feed5eda64727e641b796e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/controllers/sessions_controller.rb"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC097", "level": "error", "message": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing: Rails app disables SSL or CSRF protection. Concept from Brakeman check_force_ssl / check_forgery_setting \u2014 re-authored from OWASP A07."}, "properties": {"repobilityId": 118092, "scanner": "repobility-threat-engine", "fingerprint": "bbcf5a49fe6d7aa1ec7a4966974ab4c9a28ea9660c0269b327a518a3c1942b24", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC097", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bbcf5a49fe6d7aa1ec7a4966974ab4c9a28ea9660c0269b327a518a3c1942b24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/controllers/collaborators_controller.rb"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC097", "level": "error", "message": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing: Rails app disables SSL or CSRF protection. Concept from Brakeman check_force_ssl / check_forgery_setting \u2014 re-authored from OWASP A07."}, "properties": {"repobilityId": 118091, "scanner": "repobility-threat-engine", "fingerprint": "43f8e4956a9fd53935f185b4ccdf1a9ca9522e1885f591faddfb05ea657bde1c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC097", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43f8e4956a9fd53935f185b4ccdf1a9ca9522e1885f591faddfb05ea657bde1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/controllers/api/v1_controller.rb"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 118089, "scanner": "repobility-threat-engine", "fingerprint": "73e6360457a9cd86ea8f254c689f5d750c94ceba75962e4ae1257ddff13b40d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cookbook.update(user_id: recipient.id)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73e6360457a9cd86ea8f254c689f5d750c94ceba75962e4ae1257ddff13b40d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/models/ownership_transfer_request.rb"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 118088, "scanner": "repobility-threat-engine", "fingerprint": "9c267f4c203f4f3f0e9777be7b9784df02dcb7a82e604bd5143eb46fb51bca92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "resourceable.update(owner: user)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c267f4c203f4f3f0e9777be7b9784df02dcb7a82e604bd5143eb46fb51bca92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/models/collaborator.rb"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 118087, "scanner": "repobility-threat-engine", "fingerprint": "9b2d65081dbbed40cc5a4b60b918e0ca71a15c12ceba1ca3dd166e853e6c269a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "params.fetch(:q, nil)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9b2d65081dbbed40cc5a4b60b918e0ca71a15c12ceba1ca3dd166e853e6c269a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/controllers/api/v1/cookbooks_controller.rb"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 118081, "scanner": "repobility-threat-engine", "fingerprint": "41720008b9cc139183ca4b21b798e0f33728e30fc74c8b59ebd6980ae265f25b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41720008b9cc139183ca4b21b798e0f33728e30fc74c8b59ebd6980ae265f25b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/helpers/adoption_helper.rb"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 118080, "scanner": "repobility-threat-engine", "fingerprint": "b22cf1ca68753540f4979f7416e12d6edb3d5400840219d493450c6cfa1e8126", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b22cf1ca68753540f4979f7416e12d6edb3d5400840219d493450c6cfa1e8126"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/controllers/cookbooks_controller.rb"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 118079, "scanner": "repobility-threat-engine", "fingerprint": "ec2bc5795add04028ef5c485db0c03ed4f0f03e2670bb17e2c14b2ad8060d7a9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "HTTP.get(U", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ec2bc5795add04028ef5c485db0c03ed4f0f03e2670bb17e2c14b2ad8060d7a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "omnibus/cookbooks/omnibus-supermarket/recipes/app.rb"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 118075, "scanner": "repobility-supply-chain", "fingerprint": "dcc29b90e22b093882b24b0f6730cd4edd77e68b813df9448ab921115261993f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dcc29b90e22b093882b24b0f6730cd4edd77e68b813df9448ab921115261993f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/brakeman-analysis.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 118074, "scanner": "repobility-supply-chain", "fingerprint": "e1488345a8f2fd28c4db56978d78479b783127f331e95af84f274a85fa2ec39c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1488345a8f2fd28c4db56978d78479b783127f331e95af84f274a85fa2ec39c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/brakeman-analysis.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 118073, "scanner": "repobility-supply-chain", "fingerprint": "033659e2cd41c973694658e0e6110d86d5aef850024c5ef3f5a819bd42bd8034", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|033659e2cd41c973694658e0e6110d86d5aef850024c5ef3f5a819bd42bd8034"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/brakeman-analysis.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `DavidAnson/markdownlint-cli2-action` pinned to mutable ref `@v14`"}, "properties": {"repobilityId": 118072, "scanner": "repobility-supply-chain", "fingerprint": "bcef04ee8b075681c7b7e0c58c3c6be19fbb111a4aef06f8f9ca42b89eaa9440", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bcef04ee8b075681c7b7e0c58c3c6be19fbb111a4aef06f8f9ca42b89eaa9440"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-lint.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 118071, "scanner": "repobility-supply-chain", "fingerprint": "ce4650f51aa78a27048bc23bb38a97da0d3aefc00cc766689277209446bc43b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce4650f51aa78a27048bc23bb38a97da0d3aefc00cc766689277209446bc43b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-lint.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `streetsidesoftware/cspell-action` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 118070, "scanner": "repobility-supply-chain", "fingerprint": "e8856ccf4b0ab8ca04d5d8769e8a788c55770175623248c91eceff8bb716b5a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8856ccf4b0ab8ca04d5d8769e8a788c55770175623248c91eceff8bb716b5a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-lint.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `carlosperate/download-file-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 118069, "scanner": "repobility-supply-chain", "fingerprint": "5097877c9944d201057b54dcee632d55530d795cba9bdb9dcdc3115edbb884a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5097877c9944d201057b54dcee632d55530d795cba9bdb9dcdc3115edbb884a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-lint.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `carlosperate/download-file-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 118068, "scanner": "repobility-supply-chain", "fingerprint": "1a1a4b2089981018034fec50ae2bd76d7552e27ede97bb834afbbb576c29160e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a1a4b2089981018034fec50ae2bd76d7552e27ede97bb834afbbb576c29160e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-lint.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `carlosperate/download-file-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 118067, "scanner": "repobility-supply-chain", "fingerprint": "87d704df8a227441788ea247e78b034489bed20d4be359c524c2f470cde05bc1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|87d704df8a227441788ea247e78b034489bed20d4be359c524c2f470cde05bc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-lint.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118066, "scanner": "repobility-supply-chain", "fingerprint": "5e1ee01767a3715de303016a37daefe4b69fbdd143df687e95e12bf605e07ca7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e1ee01767a3715de303016a37daefe4b69fbdd143df687e95e12bf605e07ca7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-lint.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/labeler` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118065, "scanner": "repobility-supply-chain", "fingerprint": "81dbebb6019c259fe2398353b43308724cc7b4b1600bd6d8596a4bbb02353e4a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81dbebb6019c259fe2398353b43308724cc7b4b1600bd6d8596a4bbb02353e4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/labeler.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `chef/common-github-actions/.github/workflows/ci-main-pull-request.yml` pinned to mutable ref `@v1.0.31`"}, "properties": {"repobilityId": 118064, "scanner": "repobility-supply-chain", "fingerprint": "928d2d949c4b06dd874b86bd5afd55a4e212cdd32c8ed1e8bda36916955b9a60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|928d2d949c4b06dd874b86bd5afd55a4e212cdd32c8ed1e8bda36916955b9a60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-main-pull-request-stub.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118063, "scanner": "repobility-supply-chain", "fingerprint": "71b97920df64697513b58190e8ba7c702b32d7cc81bab599acf68b731c73a4ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71b97920df64697513b58190e8ba7c702b32d7cc81bab599acf68b731c73a4ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-main-pull-request-stub.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 118062, "scanner": "repobility-supply-chain", "fingerprint": "58a38bdc292ad401fb354ba4027b9b96b6d4fa9b2aa4dc4c5a660bd59408a0a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58a38bdc292ad401fb354ba4027b9b96b6d4fa9b2aa4dc4c5a660bd59408a0a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 118061, "scanner": "repobility-supply-chain", "fingerprint": "1c91f54fb2a7a5ab6f77d05c4de24c031ff235fbd206c0d4b3698c7c2b5f69a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c91f54fb2a7a5ab6f77d05c4de24c031ff235fbd206c0d4b3698c7c2b5f69a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 118060, "scanner": "repobility-supply-chain", "fingerprint": "d9fecb5162d2b0adbe2ae38ebb77a71202f580a5b6543ae5a3076eb261a4638a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9fecb5162d2b0adbe2ae38ebb77a71202f580a5b6543ae5a3076eb261a4638a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 118059, "scanner": "repobility-supply-chain", "fingerprint": "57f6230c05f22f796fdd018865f8a65d1d53525bbc082754319d58941ebaf4f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57f6230c05f22f796fdd018865f8a65d1d53525bbc082754319d58941ebaf4f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 118058, "scanner": "repobility-supply-chain", "fingerprint": "64507b08d3ffb01d7d0bc6ae159f6b5071fbb4f43473b41147f7123dfbfdca9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64507b08d3ffb01d7d0bc6ae159f6b5071fbb4f43473b41147f7123dfbfdca9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ctl-cookbook-testing.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 118057, "scanner": "repobility-supply-chain", "fingerprint": "1e235bd2acbe44fb611fbaf259986f7be0302b24efd3ab61762039a60dbf8907", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e235bd2acbe44fb611fbaf259986f7be0302b24efd3ab61762039a60dbf8907"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ctl-cookbook-testing.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 118056, "scanner": "repobility-supply-chain", "fingerprint": "76d90d7982d43898621e1fb006b4941c9e0e30c27dbfb542baa2e2bb5b9c3969", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76d90d7982d43898621e1fb006b4941c9e0e30c27dbfb542baa2e2bb5b9c3969"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ctl-cookbook-testing.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 118055, "scanner": "repobility-supply-chain", "fingerprint": "548f57d6c9564ef4b6df0d313b218372c2152e157f470bbd6e17e49f479c46a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|548f57d6c9564ef4b6df0d313b218372c2152e157f470bbd6e17e49f479c46a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ctl-cookbook-testing.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redis:latest` unpinned"}, "properties": {"repobilityId": 118054, "scanner": "repobility-supply-chain", "fingerprint": "88acb1b5b778751b75c22ad808bac4bbf11df373dfaa3dd3b23d42add2d4a2b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88acb1b5b778751b75c22ad808bac4bbf11df373dfaa3dd3b23d42add2d4a2b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unit.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `postgres:13` unpinned"}, "properties": {"repobilityId": 118053, "scanner": "repobility-supply-chain", "fingerprint": "24a29e7db6ff8b563c4f667fdddef893ed29be982919d502126597c7ed5fab1c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24a29e7db6ff8b563c4f667fdddef893ed29be982919d502126597c7ed5fab1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unit.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redis:latest` unpinned"}, "properties": {"repobilityId": 118052, "scanner": "repobility-supply-chain", "fingerprint": "f894af9b9376488e06e35893eab580789b698e83c7f6216dffca778a436a3961", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f894af9b9376488e06e35893eab580789b698e83c7f6216dffca778a436a3961"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unit.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `postgres:13` unpinned"}, "properties": {"repobilityId": 118051, "scanner": "repobility-supply-chain", "fingerprint": "02634225f52bd62426c29fa3e5e4caf3704f65328b04e6147e905851be24da7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02634225f52bd62426c29fa3e5e4caf3704f65328b04e6147e905851be24da7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unit.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 118050, "scanner": "repobility-supply-chain", "fingerprint": "2155e3e3798ffa0df1b1087858a69af894df77762039ab047d11f8b695a652e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2155e3e3798ffa0df1b1087858a69af894df77762039ab047d11f8b695a652e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unit.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 118049, "scanner": "repobility-supply-chain", "fingerprint": "05afff3904ee22a915e96716860c06ebb0e3468273290e5006223e250373b43d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05afff3904ee22a915e96716860c06ebb0e3468273290e5006223e250373b43d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unit.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 118048, "scanner": "repobility-supply-chain", "fingerprint": "22782dd128647a2bc42ba636a6eddaa7ceef604a4273210300ad9c410b0cdba4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22782dd128647a2bc42ba636a6eddaa7ceef604a4273210300ad9c410b0cdba4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unit.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 118047, "scanner": "repobility-supply-chain", "fingerprint": "58faa9337ac1bf1eeea859dbbd6ae054563d1d75870b8f688d29a371bcf66a8e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58faa9337ac1bf1eeea859dbbd6ae054563d1d75870b8f688d29a371bcf66a8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/unit.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "GHSA-33qg-7wpp-89cq", "level": "error", "message": {"text": "rack-session: GHSA-33qg-7wpp-89cq"}, "properties": {"repobilityId": 118211, "scanner": "osv-scanner", "fingerprint": "a682dc07edcd04a402f418fcc548da645580292ebd5a355f47edb0afcada0894", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39324"], "package": "rack-session", "rule_id": "GHSA-33qg-7wpp-89cq", "scanner": "osv-scanner", "correlation_key": "vuln|rack-session|CVE-2026-39324|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/Gemfile.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 118121, "scanner": "gitleaks", "fingerprint": "84f26acaa208ec4e99c68c29548f86d1d6859792a639ed81c1c57d21f8dbfdca", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "AuthParam=REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|439|authparam redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/app/assets/data/licenses.json"}, "region": {"startLine": 4395}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 118120, "scanner": "gitleaks", "fingerprint": "ea09ac2463f8fac339c5d9a371b15624109c2a5901df89577122a3d71bb9e4a9", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "secret_key_base: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|2|secret_key_base: redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["365f820038a3736c83f73d216fcc4590dee8a3faaf61f44d15ef193e87b8cd0d", "ea09ac2463f8fac339c5d9a371b15624109c2a5901df89577122a3d71bb9e4a9"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/secrets.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 118119, "scanner": "gitleaks", "fingerprint": "98d6c823f08f8f25ae21ecd57905513f5b5fbb82d1ee6e07bd098bd5e871ced0", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "api_key: <redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|api_key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/config/secrets.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 118118, "scanner": "gitleaks", "fingerprint": "fedf5d777dd73c8747b1f0bd38351160def106c1d98f0b0924e66e0061182862", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|1|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["private-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["3e9c45d0bb9adc0488112dd71024191a25f2962292b4aca91157164c3b98923c", "fedf5d777dd73c8747b1f0bd38351160def106c1d98f0b0924e66e0061182862"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/spec/support/key_fixtures/valid_private_key.pem"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 118117, "scanner": "gitleaks", "fingerprint": "68d8c1853d71f4e3ccfd10fb25f3a2b02d7acf1492f921e61485b5d0c5fb6f74", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "secret_key_base: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|secret_key_base: redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["68d8c1853d71f4e3ccfd10fb25f3a2b02d7acf1492f921e61485b5d0c5fb6f74", "e638ccfdbfe76198009d4e73bedd0a61ff3d77fb66452e5427222347a009420d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/supermarket/engines/fieri/spec/dummy/config/secrets.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 118116, "scanner": "gitleaks", "fingerprint": "e75e792afcbf07064b87d43d7fdedfd325b102df8d982d9c322de4f2f1d4ba7d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "chef_oauth2_secret\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|33|chef_oauth2_secret : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/content/supermarket/install_supermarket.md"}, "region": {"startLine": 331}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 118115, "scanner": "gitleaks", "fingerprint": "8515d6b761a91e150591be6608430249b9e756f926485bf1f70af427092b4408", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "chef_oauth2_app_id\": \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|32|chef_oauth2_app_id : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/content/supermarket/install_supermarket.md"}, "region": {"startLine": 330}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 118114, "scanner": "gitleaks", "fingerprint": "1de59b3bb15a9a144481909caebed595a0f3ea311d9592a95a196db8da144d6a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "secret\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|7|secret : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-chef-io/content/supermarket/install_supermarket.md"}, "region": {"startLine": 75}}}]}]}]}