{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED083] Java Thread Start (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar`", "shortDescription": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherw"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:noble-20250404` not pinned by digest: `FROM ubuntu:noble-20250404` resolves the tag a", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:noble-20250404` not pinned by digest: `FROM ubuntu:noble-20250404` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Prod"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:noble-20250404@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED005", "name": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection.", "shortDescription": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/802"}, "properties": {"repository": "spring-projects/spring-boot", "repoUrl": "https://github.com/spring-projects/spring-boot", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 68482, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 68481, "scanner": "repobility-docker", "fingerprint": "aa272e112dec237401e83d6e8c2e5a43be5823a699f18bc6586b446dbd14098c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:noble-20250404", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|aa272e112dec237401e83d6e8c2e5a43be5823a699f18bc6586b446dbd14098c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-test/spring-boot-loader-integration-tests/src/dockerTest/resources/conf/oracle-jdk-17/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 68480, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 68479, "scanner": "repobility-docker", "fingerprint": "43c198aaa7b5a87eeead053ef009c4bfadafba63b9699e457f5675b55b38ebd9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "bellsoft/liberica-openjre-debian:25-cds", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|43c198aaa7b5a87eeead053ef009c4bfadafba63b9699e457f5675b55b38ebd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/spring-boot-docs/src/docs/antora/modules/reference/partials/dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 68447, "scanner": "repobility-threat-engine", "fingerprint": "22673657170b0b4b09eefaa6d0c375b6d7de837a681b1bfe1102a01bfee32942", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Log.info(\"Using service at \" + request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22673657170b0b4b09eefaa6d0c375b6d7de837a681b1bfe1102a01bfee32942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/spring-boot-cli/src/main/java/org/springframework/boot/cli/command/init/InitializrService.java"}, "region": {"startLine": 92}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 68440, "scanner": "repobility-threat-engine", "fingerprint": "d8372785c78e48cfd15d926cce309445590c56b07037dbdb1fdf234a54a3d522", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (Exception ex) {\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d8372785c78e48cfd15d926cce309445590c56b07037dbdb1fdf234a54a3d522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/SpringRepositorySupport.groovy"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 68423, "scanner": "repobility-threat-engine", "fingerprint": "813a7a7a7395ea2e27d27c42285fba6f2aa2173142aa19e10f85b46db307f607", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|107|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/intTest/java/org/springframework/boot/maven/WarIntegrationTests.java"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 68422, "scanner": "repobility-threat-engine", "fingerprint": "2eb6a8d5d0fcdbe3f8538171ea8f4fa0c58de1a30dfc85c6e220c71ce4b46ed9", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ZipEntry::getName", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|181|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/intTest/java/org/springframework/boot/maven/AbstractArchiveIntegrationTests.java"}, "region": {"startLine": 181}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 68421, "scanner": "repobility-threat-engine", "fingerprint": "153430cb0177e9284daf23dc673fb0ca89b544db0ede92485b31b62a803ca589", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|62|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/bundling/LoaderZipEntries.java"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 68416, "scanner": "repobility-threat-engine", "fingerprint": "b24bb877e0f67ef6cfa23f15bf6d9af8a6e4ed3e8d9974cf7de252c73f6a4125", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|66|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/run/BootRun.java"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 68415, "scanner": "repobility-threat-engine", "fingerprint": "b39bfe42a502ac5e0f42c9e31eff80c165010f8e803fe881d5e8631f88d671b6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|83|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/aot/ProcessTestAot.java"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 68414, "scanner": "repobility-threat-engine", "fingerprint": "4648c886bc241f647c49b7806da5d658f6b317c3a06bfa75ef706d8fdfca0e28", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|50|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/aot/ProcessAot.java"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 68411, "scanner": "repobility-threat-engine", "fingerprint": "e9f7665b07753cad5d75dd61c93b8d168a17ae0c83a2746c5f0d7d2c6ea163f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"user@example.com\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9f7665b07753cad5d75dd61c93b8d168a17ae0c83a2746c5f0d7d2c6ea163f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/docs/antora/modules/gradle-plugin/examples/packaging/boot-build-image-docker-auth-user.gradle.kts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68478, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ad631d4d0d1d3982048b907d79a10cdf21443cdd35ce2177e412470467b3aa2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/task/TaskExecutionProperties.java", "duplicate_line": 111, "correlation_key": "fp|1ad631d4d0d1d3982048b907d79a10cdf21443cdd35ce2177e412470467b3aa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/task/TaskSchedulingProperties.java"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68477, "scanner": "repobility-ai-code-hygiene", "fingerprint": "578b21858c8768d6a583e7f02b1e13cdc3ccac810813d38981bcd0487955f605", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "configuration-metadata/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/metadata/ItemDeprecation.java", "duplicate_line": 67, "correlation_key": "fp|578b21858c8768d6a583e7f02b1e13cdc3ccac810813d38981bcd0487955f605"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/metadata/ItemMetadata.java"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68476, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74888d7bb87a2ff5b0b078ce0459197e7a0bf4c6ca7914e778f066f08eac8d75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "configuration-metadata/spring-boot-configuration-metadata/src/main/java/org/springframework/boot/configurationmetadata/ConfigurationMetadataProperty.java", "duplicate_line": 18, "correlation_key": "fp|74888d7bb87a2ff5b0b078ce0459197e7a0bf4c6ca7914e778f066f08eac8d75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/metadata/ItemMetadata.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68475, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2412a4a486d8f51fd1082960933df09dd6a38b679660d7484da079d58d59d173", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "configuration-metadata/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/JavaBeanPropertyDescriptor.java", "duplicate_line": 30, "correlation_key": "fp|2412a4a486d8f51fd1082960933df09dd6a38b679660d7484da079d58d59d173"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/LombokPropertyDescriptor.java"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68474, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa9ced496d11e75cfced5ef255472c64a652d781601f6c2f94393a1aa3da4098", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONTokener.java", "duplicate_line": 2, "correlation_key": "fp|aa9ced496d11e75cfced5ef255472c64a652d781601f6c2f94393a1aa3da4098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-processor/src/json-shade/java/org/springframework/boot/configurationprocessor/json/JSONTokener.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68473, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8b77cac2bcaeccc5685fbcad3a9e0a6e77b30a0ed9ab5bf793c0c8d839a38e50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONStringer.java", "duplicate_line": 2, "correlation_key": "fp|8b77cac2bcaeccc5685fbcad3a9e0a6e77b30a0ed9ab5bf793c0c8d839a38e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-processor/src/json-shade/java/org/springframework/boot/configurationprocessor/json/JSONStringer.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68472, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8cbf175ef1680e1b7eb11b9c17c783f0bb1274cca1bc17c099292455ead1303", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONArray.java", "duplicate_line": 245, "correlation_key": "fp|f8cbf175ef1680e1b7eb11b9c17c783f0bb1274cca1bc17c099292455ead1303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-processor/src/json-shade/java/org/springframework/boot/configurationprocessor/json/JSONObject.java"}, "region": {"startLine": 264}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68471, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bff5186eaee63c9095ce6a024a327799e0c8a3f194417a0f3becba2021d1e649", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONObject.java", "duplicate_line": 2, "correlation_key": "fp|bff5186eaee63c9095ce6a024a327799e0c8a3f194417a0f3becba2021d1e649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-processor/src/json-shade/java/org/springframework/boot/configurationprocessor/json/JSONObject.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68470, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1da9dcc71133cb3333fea2e053a13721e3a28bb3f8049e7fba97a01b15ba35cf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONArray.java", "duplicate_line": 2, "correlation_key": "fp|1da9dcc71133cb3333fea2e053a13721e3a28bb3f8049e7fba97a01b15ba35cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-processor/src/json-shade/java/org/springframework/boot/configurationprocessor/json/JSONArray.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68469, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d000b9ab25865ede9a7252981132bb81b6917ab71491141605b7e6f07d502c4a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSON.java", "duplicate_line": 2, "correlation_key": "fp|d000b9ab25865ede9a7252981132bb81b6917ab71491141605b7e6f07d502c4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-processor/src/json-shade/java/org/springframework/boot/configurationprocessor/json/JSON.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68468, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d3a2a5c2ee0946f02b561e267a13db84d7d6138f62f56a4f19510bd091a26c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "configuration-metadata/spring-boot-configuration-metadata/src/main/java/org/springframework/boot/configurationmetadata/ConfigurationMetadataProperty.java", "duplicate_line": 30, "correlation_key": "fp|7d3a2a5c2ee0946f02b561e267a13db84d7d6138f62f56a4f19510bd091a26c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-metadata/src/main/java/org/springframework/boot/configurationmetadata/ValueHint.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68467, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ade8be152cc7b4d1e1ebffb8259466234895547ca3b6c1453b93d1fa786fe14e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONTokener.java", "duplicate_line": 2, "correlation_key": "fp|ade8be152cc7b4d1e1ebffb8259466234895547ca3b6c1453b93d1fa786fe14e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-metadata/src/json-shade/java/org/springframework/boot/configurationmetadata/json/JSONTokener.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68466, "scanner": "repobility-ai-code-hygiene", "fingerprint": "629c07f861ce6775b4c4acd0a14c19bd83d6b8d97d58765cde2972a78ae1126c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONStringer.java", "duplicate_line": 2, "correlation_key": "fp|629c07f861ce6775b4c4acd0a14c19bd83d6b8d97d58765cde2972a78ae1126c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-metadata/src/json-shade/java/org/springframework/boot/configurationmetadata/json/JSONStringer.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68465, "scanner": "repobility-ai-code-hygiene", "fingerprint": "18af0b28b06d72426eb4916087adcb1e4b0a4e9f7dae51421edf43cf4aec6cdd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONArray.java", "duplicate_line": 245, "correlation_key": "fp|18af0b28b06d72426eb4916087adcb1e4b0a4e9f7dae51421edf43cf4aec6cdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-metadata/src/json-shade/java/org/springframework/boot/configurationmetadata/json/JSONObject.java"}, "region": {"startLine": 264}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68464, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e0152180c2b81ff22409836783bf6ed52b952027221f1a09cca59016be99259", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONObject.java", "duplicate_line": 2, "correlation_key": "fp|5e0152180c2b81ff22409836783bf6ed52b952027221f1a09cca59016be99259"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-metadata/src/json-shade/java/org/springframework/boot/configurationmetadata/json/JSONObject.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68463, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c15d4f4d65c534edb26ccb0c0285e26e1649bd05be670f9b4666a9963aa1367a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONArray.java", "duplicate_line": 2, "correlation_key": "fp|c15d4f4d65c534edb26ccb0c0285e26e1649bd05be670f9b4666a9963aa1367a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-metadata/src/json-shade/java/org/springframework/boot/configurationmetadata/json/JSONArray.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68462, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d0437b2668c724685f5ec8057cdb6d2c83e8bf26f9a24e96db9d5621744fb947", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSON.java", "duplicate_line": 2, "correlation_key": "fp|d0437b2668c724685f5ec8057cdb6d2c83e8bf26f9a24e96db9d5621744fb947"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration-metadata/spring-boot-configuration-metadata/src/json-shade/java/org/springframework/boot/configurationmetadata/json/JSON.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68461, "scanner": "repobility-ai-code-hygiene", "fingerprint": "894ef20be333c892f6f469154206231f783211495075161dfa888f1fa9b8f86f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONArray.java", "duplicate_line": 245, "correlation_key": "fp|894ef20be333c892f6f469154206231f783211495075161dfa888f1fa9b8f86f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/spring-boot-cli/src/json-shade/java/org/springframework/boot/cli/json/JSONObject.java"}, "region": {"startLine": 264}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68460, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7aeb1135ead5a842014c6242d94ab1302f8c3e0763ac5645ef8dcd8fb1e34300", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "buildpack/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/type/Manifest.java", "duplicate_line": 19, "correlation_key": "fp|7aeb1135ead5a842014c6242d94ab1302f8c3e0763ac5645ef8dcd8fb1e34300"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildpack/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/type/ManifestList.java"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68459, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72d9be29ce901b042d1a4637d28ffd23dbc8246e4addfbeff7e4a72916e0de5f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "buildpack/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/LoadImageUpdateEvent.java", "duplicate_line": 17, "correlation_key": "fp|72d9be29ce901b042d1a4637d28ffd23dbc8246e4addfbeff7e4a72916e0de5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildpack/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/PushImageUpdateEvent.java"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68458, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00b1d074fd7ec06a63f429ca426b4116ed78d131f9a88fbfcd75ddf285cd2c00", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "build-plugin/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/util/VersionExtractor.java", "duplicate_line": 14, "correlation_key": "fp|00b1d074fd7ec06a63f429ca426b4116ed78d131f9a88fbfcd75ddf285cd2c00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/VersionExtractor.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68457, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f19fc55fc0598096cb3a06ffd1a480d78aa6debfc502fc8a71ceb43f7755ea7d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/RunMojo.java", "duplicate_line": 26, "correlation_key": "fp|f19fc55fc0598096cb3a06ffd1a480d78aa6debfc502fc8a71ceb43f7755ea7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/TestRunMojo.java"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 68456, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68e9ba90097c090aa87aabc9e0912e9d33cb49caac626f2ec7daf5467d4da829", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "build-plugin/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/bundling/BootJar.java", "duplicate_line": 71, "correlation_key": "fp|68e9ba90097c090aa87aabc9e0912e9d33cb49caac626f2ec7daf5467d4da829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/bundling/BootWar.java"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 68419, "scanner": "repobility-threat-engine", "fingerprint": "c3855cf324f1ca54afd57813236d6a51e4c7581b34285c9ed357ff244a66c257", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Creating repackaged archive \" + target + \" with classifier \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c3855cf324f1ca54afd57813236d6a51e4c7581b34285c9ed357ff244a66c257"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/RepackageMojo.java"}, "region": {"startLine": 234}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 68418, "scanner": "repobility-threat-engine", "fingerprint": "a031f70f032d46e4c6fd2a4e49e835f6aa9de43317186843972f55655428f105", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Invalid Docker \" + type\n\t\t\t\t+ \" registry configuration, either token or username/password must be p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a031f70f032d46e4c6fd2a4e49e835f6aa9de43317186843972f55655428f105"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/Docker.java"}, "region": {"startLine": 211}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 68417, "scanner": "repobility-threat-engine", "fingerprint": "1e14a5e4c609ca56da31e173ddd3a4ac12b3c42fb03570164608224bdc307e54", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Invalid Docker \" + type\n\t\t\t\t+ \" registry configuration, either token or username/password must be p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1e14a5e4c609ca56da31e173ddd3a4ac12b3c42fb03570164608224bdc307e54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/bundling/DockerSpec.java"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 68453, "scanner": "repobility-threat-engine", "fingerprint": "3d858423d2df50e5a017d58c8788492284fc4504b4457ba4f3948a843747a4fd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d858423d2df50e5a017d58c8788492284fc4504b4457ba4f3948a843747a4fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/launch/JarModeRunner.java"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 68452, "scanner": "repobility-threat-engine", "fingerprint": "5e9bfee03a7a43f7f8d43815f92ebd5247653829833b857158b93ee086c50632", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e9bfee03a7a43f7f8d43815f92ebd5247653829833b857158b93ee086c50632"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-test/spring-boot-sni-integration-tests/spring-boot-sni-client-app/src/main/java/org/springframework/boot/sni/client/SniClientApplication.java"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 68451, "scanner": "repobility-threat-engine", "fingerprint": "4205bbaabb67488e5d7c51b3209ec442824c550e311a038a33a1c46e9c33a8c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4205bbaabb67488e5d7c51b3209ec442824c550e311a038a33a1c46e9c33a8c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/spring-boot/src/main/java/org/springframework/boot/ExitCodeGenerators.java"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 68450, "scanner": "repobility-threat-engine", "fingerprint": "2cb6724ab0749e3b2716791abe179fcfdd6d9bc74c55a8c01bdcca31e4317ba9", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|138|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "loader/spring-boot-loader/src/main/java/org/springframework/boot/loader/launch/JarFileArchive.java"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 68449, "scanner": "repobility-threat-engine", "fingerprint": "211b77a955adf2265d29605065453544c06bce72aebd9054bf8f01c525d22084", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|128|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-test/spring-boot-server-integration-tests/src/intTest/java/org/springframework/boot/context/embedded/EmbeddedServerContainerInvocationContextProvider.java"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 68448, "scanner": "repobility-threat-engine", "fingerprint": "400c440ae6c56a7c5ecfbd1ee0f4915530969b6338a5603a8ff03997aa77e934", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|75|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/spring-boot-docker-compose/src/dockerTest/java/org/springframework/boot/docker/compose/core/DockerCliIntegrationTests.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 68446, "scanner": "repobility-threat-engine", "fingerprint": "6051ea758843b6ed68b455d709042d2268cab1c99d8af234e1c6a7fbf59c516d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6051ea758843b6ed68b455d709042d2268cab1c99d8af234e1c6a7fbf59c516d", "aggregated_count": 3}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 68445, "scanner": "repobility-threat-engine", "fingerprint": "7c9b3936226cdfc86f675f713552604df67ee9d7374e09c5155f6d113b599804", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7c9b3936226cdfc86f675f713552604df67ee9d7374e09c5155f6d113b599804"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/spring-boot/src/main/java/org/springframework/boot/SpringBootExceptionHandler.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 68444, "scanner": "repobility-threat-engine", "fingerprint": "bbcb7f3523f7d3d275bc77026f9f4bff7d38310ae1ed63417fe316720d0775bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bbcb7f3523f7d3d275bc77026f9f4bff7d38310ae1ed63417fe316720d0775bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/spring-boot-cli/src/main/java/org/springframework/boot/cli/command/shell/Shell.java"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 68443, "scanner": "repobility-threat-engine", "fingerprint": "9f0b779b7cadea49d8c0fb6522a6d88d4a8ab0c680817bd0f0f0a76c2c3bfc25", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f0b779b7cadea49d8c0fb6522a6d88d4a8ab0c680817bd0f0f0a76c2c3bfc25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/spring-boot-cli/src/main/java/org/springframework/boot/cli/SpringCli.java"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 68439, "scanner": "repobility-threat-engine", "fingerprint": "4978b499eab2b5813245df5906091d3ab306405cdbaec1c03291c99f594160c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4978b499eab2b5813245df5906091d3ab306405cdbaec1c03291c99f594160c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/SpringRepositorySupport.groovy"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 68437, "scanner": "repobility-threat-engine", "fingerprint": "b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 68433, "scanner": "repobility-threat-engine", "fingerprint": "18f784dfe40a9db7e9eeb4da73c7a90cbbac138b56c85550563cf29eca32aee2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|18f784dfe40a9db7e9eeb4da73c7a90cbbac138b56c85550563cf29eca32aee2", "aggregated_count": 3}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 68432, "scanner": "repobility-threat-engine", "fingerprint": "cfdc65704fd20c1c376d6dda453c1d069ef92f9deab06a8334047767be84aecc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cfdc65704fd20c1c376d6dda453c1d069ef92f9deab06a8334047767be84aecc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/spring-boot-cli/src/intTest/java/org/springframework/boot/cli/infrastructure/CommandLineInvoker.java"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 68431, "scanner": "repobility-threat-engine", "fingerprint": "d2017413cff96a0fa4ae581bc09507bcb183631b7f413e5c37ea617da618cc5c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2017413cff96a0fa4ae581bc09507bcb183631b7f413e5c37ea617da618cc5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/TestRunMojo.java"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 68430, "scanner": "repobility-threat-engine", "fingerprint": "9829fc638e3247e1864afa031c782fb473f31b27f3d5b5bde311726e4821ba84", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9829fc638e3247e1864afa031c782fb473f31b27f3d5b5bde311726e4821ba84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/RunMojo.java"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 68428, "scanner": "repobility-threat-engine", "fingerprint": "87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e"}}}, {"ruleId": "SEC012", "level": "none", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 68424, "scanner": "repobility-threat-engine", "fingerprint": "c5983a30bf6c55fa4c5b3481e689c065ece1a7495938c1f5c1e0ca182ac75572", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c5983a30bf6c55fa4c5b3481e689c065ece1a7495938c1f5c1e0ca182ac75572"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 68420, "scanner": "repobility-threat-engine", "fingerprint": "0171b5ddf4001499c61748561fce3820344a238e96c53f70ef40fad83a0a10ba", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0171b5ddf4001499c61748561fce3820344a238e96c53f70ef40fad83a0a10ba"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 68413, "scanner": "repobility-threat-engine", "fingerprint": "ca6658417c266a9564ab99f0a870cbe47691d0ecdec0998649d57b379f1b02f4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca6658417c266a9564ab99f0a870cbe47691d0ecdec0998649d57b379f1b02f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/AbstractPackagerMojo.java"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 68412, "scanner": "repobility-threat-engine", "fingerprint": "0903c5aacb111f35d3425e1b0a36d60267fd549c46d652781588be4214526e5a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0903c5aacb111f35d3425e1b0a36d60267fd549c46d652781588be4214526e5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/docs/antora/modules/gradle-plugin/examples/packaging/boot-build-image-env-proxy.gradle.kts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 68519, "scanner": "repobility-supply-chain", "fingerprint": "475d6541332a2ab39a278d008af4f931a7eaf9ba78d21b299e3205430d56154d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|475d6541332a2ab39a278d008af4f931a7eaf9ba78d21b299e3205430d56154d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `build-plugin/spring-boot-maven-plugin/src/intTest/projects/run-additional-classpath-jar/src/main/additional-jar/resources-1.0.0.jar` committed in source repo: `build-plugin/spring-boot-maven-plugin/src/intTest/projects/run-additional-classpath-jar/src/main/additional-jar/resources-1.0.0.jar` is a .jar binary (657 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromi"}, "properties": {"repobilityId": 68518, "scanner": "repobility-supply-chain", "fingerprint": "731f87d5ca58fdcbfa8ac83e33681c238ea9bbfff6362a1581ac870ac1173658", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|731f87d5ca58fdcbfa8ac83e33681c238ea9bbfff6362a1581ac870ac1173658"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/intTest/projects/run-additional-classpath-jar/src/main/additional-jar/resources-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `build-plugin/spring-boot-maven-plugin/src/intTest/projects/jar-system-scope/sample-1.0.0.jar` committed in source repo: `build-plugin/spring-boot-maven-plugin/src/intTest/projects/jar-system-scope/sample-1.0.0.jar` is a .jar binary (425 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 68517, "scanner": "repobility-supply-chain", "fingerprint": "b6f806095d29b780217084c0cd0ca97ce9315694255f9c977c5119d88d778d29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6f806095d29b780217084c0cd0ca97ce9315694255f9c977c5119d88d778d29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/intTest/projects/jar-system-scope/sample-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `build-plugin/spring-boot-maven-plugin/src/intTest/projects/jar-system-scope-default/sample-1.0.0.jar` committed in source repo: `build-plugin/spring-boot-maven-plugin/src/intTest/projects/jar-system-scope-default/sample-1.0.0.jar` is a .jar binary (425 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by b"}, "properties": {"repobilityId": 68516, "scanner": "repobility-supply-chain", "fingerprint": "433b80e13519a776538ce58d4a71d1b123b464563d60a70edb99a3bc44fac7d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|433b80e13519a776538ce58d4a71d1b123b464563d60a70edb99a3bc44fac7d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/intTest/projects/jar-system-scope-default/sample-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `build-plugin/spring-boot-maven-plugin/src/intTest/projects/war-system-scope/sample-1.0.0.jar` committed in source repo: `build-plugin/spring-boot-maven-plugin/src/intTest/projects/war-system-scope/sample-1.0.0.jar` is a .jar binary (425 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 68515, "scanner": "repobility-supply-chain", "fingerprint": "ad4a939a892550e44a3afd0a52fca4223cb456a4214209201823ca362b5b06d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad4a939a892550e44a3afd0a52fca4223cb456a4214209201823ca362b5b06d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/intTest/projects/war-system-scope/sample-1.0.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `build-plugin/spring-boot-gradle-plugin/src/test/resources/repository/com/example/library/1.0-SNAPSHOT/library-1.0-SNAPSHOT.jar` committed in source repo: `build-plugin/spring-boot-gradle-plugin/src/test/resources/repository/com/example/library/1.0-SNAPSHOT/library-1.0-SNAPSHOT.jar` is a .jar binary (261 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised depend"}, "properties": {"repobilityId": 68514, "scanner": "repobility-supply-chain", "fingerprint": "a2d3e67a9e181180ecf86da485c1fd41da6771c095410836cbab23e0a81bc70b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2d3e67a9e181180ecf86da485c1fd41da6771c095410836cbab23e0a81bc70b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/test/resources/repository/com/example/library/1.0-SNAPSHOT/library-1.0-SNAPSHOT.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `build-plugin/spring-boot-gradle-plugin/src/test/resources/repository/commons-io-consumer/two/1.0/two-1.0.jar` committed in source repo: `build-plugin/spring-boot-gradle-plugin/src/test/resources/repository/commons-io-consumer/two/1.0/two-1.0.jar` is a .jar binary (261 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that ge"}, "properties": {"repobilityId": 68513, "scanner": "repobility-supply-chain", "fingerprint": "47ba5671fbd897fd93c7dbe9399bf8c8573b75707e439046b85684b7f82c4827", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47ba5671fbd897fd93c7dbe9399bf8c8573b75707e439046b85684b7f82c4827"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/test/resources/repository/commons-io-consumer/two/1.0/two-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `build-plugin/spring-boot-gradle-plugin/src/test/resources/repository/commons-io-consumer/one/1.0/one-1.0.jar` committed in source repo: `build-plugin/spring-boot-gradle-plugin/src/test/resources/repository/commons-io-consumer/one/1.0/one-1.0.jar` is a .jar binary (261 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that ge"}, "properties": {"repobilityId": 68512, "scanner": "repobility-supply-chain", "fingerprint": "16689fa7bcb9c494d5b4c6010a72f662522d57ca8c6081500f8baa851c604f56", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16689fa7bcb9c494d5b4c6010a72f662522d57ca8c6081500f8baa851c604f56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-gradle-plugin/src/test/resources/repository/commons-io-consumer/one/1.0/one-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `loader/spring-boot-loader/src/test/resources/jars/mismatch.jar` committed in source repo: `loader/spring-boot-loader/src/test/resources/jars/mismatch.jar` is a .jar binary (4,953 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 68511, "scanner": "repobility-supply-chain", "fingerprint": "054184618a2b3d1bf34679688598e6e9bd5b50fcb505b373c920a583347b801f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|054184618a2b3d1bf34679688598e6e9bd5b50fcb505b373c920a583347b801f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "loader/spring-boot-loader/src/test/resources/jars/mismatch.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `loader/spring-boot-loader/src/test/resources/jars/app.jar` committed in source repo: `loader/spring-boot-loader/src/test/resources/jars/app.jar` is a .jar binary (2,213 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 68510, "scanner": "repobility-supply-chain", "fingerprint": "cc82c6cdf8e3bd531320ba28cb7d761ca64cf6c047b3beb06ac11d3fe3aa6504", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc82c6cdf8e3bd531320ba28cb7d761ca64cf6c047b3beb06ac11d3fe3aa6504"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "loader/spring-boot-loader/src/test/resources/jars/app.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `loader/spring-boot-loader/src/test/resources/nested-jars/nested-jar-app.jar` committed in source repo: `loader/spring-boot-loader/src/test/resources/nested-jars/nested-jar-app.jar` is a .jar binary (1,408 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 68509, "scanner": "repobility-supply-chain", "fingerprint": "c8ef1dd037a81cf5b2bc7a11a3ae4eeae9d12c78f4fd068266654feee327d1e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8ef1dd037a81cf5b2bc7a11a3ae4eeae9d12c78f4fd068266654feee327d1e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "loader/spring-boot-loader/src/test/resources/nested-jars/nested-jar-app.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `loader/spring-boot-loader/src/test/resources/nested-jars/app.jar` committed in source repo: `loader/spring-boot-loader/src/test/resources/nested-jars/app.jar` is a .jar binary (3,313 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 68508, "scanner": "repobility-supply-chain", "fingerprint": "be4747484d548ced5c57d9b157628ef09036a59ed114a023b74ea78f8b7fc604", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be4747484d548ced5c57d9b157628ef09036a59ed114a023b74ea78f8b7fc604"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "loader/spring-boot-loader/src/test/resources/nested-jars/app.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `loader/spring-boot-loader/src/test/resources/more-jars/app.jar` committed in source repo: `loader/spring-boot-loader/src/test/resources/more-jars/app.jar` is a .jar binary (1,150 bytes) committed to a repo that otherwise has 8740 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 68507, "scanner": "repobility-supply-chain", "fingerprint": "b1c12d19bf75782d023856dfc307fa326e7c85ca37c0b9105793991eadd80ced", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1c12d19bf75782d023856dfc307fa326e7c85ca37c0b9105793991eadd80ced"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "loader/spring-boot-loader/src/test/resources/more-jars/app.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68506, "scanner": "repobility-supply-chain", "fingerprint": "76dc02c1de79b957c25bedeb553dd2909d30c4f7e8c208dc64a8ef6bd24285bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76dc02c1de79b957c25bedeb553dd2909d30c4f7e8c208dc64a8ef6bd24285bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-milestone.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68505, "scanner": "repobility-supply-chain", "fingerprint": "6f261161b9a31a241229310d6b496d4096faea37c3a670909b54b9f7bb83727f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6f261161b9a31a241229310d6b496d4096faea37c3a670909b54b9f7bb83727f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-milestone.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68504, "scanner": "repobility-supply-chain", "fingerprint": "340d6b2d508840a4ba9d45fdb79412eb31961f65795d55783a4e7c7cbb825519", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|340d6b2d508840a4ba9d45fdb79412eb31961f65795d55783a4e7c7cbb825519"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-milestone.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68503, "scanner": "repobility-supply-chain", "fingerprint": "e0b069b3bda2b5b1b5881788c24cd59d76fc1e3750a67f49c32780e292cf1c7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0b069b3bda2b5b1b5881788c24cd59d76fc1e3750a67f49c32780e292cf1c7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-milestone.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68502, "scanner": "repobility-supply-chain", "fingerprint": "1b1d0cae4b5a5faad9b16aaddaa41fa0106023ad4d4ea7a5e00e7d0b3b295aba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b1d0cae4b5a5faad9b16aaddaa41fa0106023ad4d4ea7a5e00e7d0b3b295aba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68501, "scanner": "repobility-supply-chain", "fingerprint": "5275a015e99bb156a7b1c8bd5b3dfcb5d6b91c23f6ed50ad98ffd2e620978595", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5275a015e99bb156a7b1c8bd5b3dfcb5d6b91c23f6ed50ad98ffd2e620978595"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68500, "scanner": "repobility-supply-chain", "fingerprint": "e79910c5ee669c98dc384f7db7b5b82feaeb0d5974fac711ba830c8711cced04", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e79910c5ee669c98dc384f7db7b5b82feaeb0d5974fac711ba830c8711cced04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68499, "scanner": "repobility-supply-chain", "fingerprint": "e7fdf295c547f975c44f41e3d4045e8be19c5e85ecb7862c38ccba908c7bd98b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7fdf295c547f975c44f41e3d4045e8be19c5e85ecb7862c38ccba908c7bd98b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68498, "scanner": "repobility-supply-chain", "fingerprint": "b0b504a76fabb4d5acf87678cccf31e80be9bdecd1ce7282250457e3f3fe749b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0b504a76fabb4d5acf87678cccf31e80be9bdecd1ce7282250457e3f3fe749b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68497, "scanner": "repobility-supply-chain", "fingerprint": "c43b18b18f96b85a96e1589ada0262f635715cd8d9b77caed121ccc1b997bb81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c43b18b18f96b85a96e1589ada0262f635715cd8d9b77caed121ccc1b997bb81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68496, "scanner": "repobility-supply-chain", "fingerprint": "328741cf16050665284e4c3d57f021ffc3993de56adb7a87b9d0601ca52060e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|328741cf16050665284e4c3d57f021ffc3993de56adb7a87b9d0601ca52060e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-pull-request.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68495, "scanner": "repobility-supply-chain", "fingerprint": "307924509ff64d7a7559ca89fa9c56bcc687cb8c3eb04111ed557e48159f68ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|307924509ff64d7a7559ca89fa9c56bcc687cb8c3eb04111ed557e48159f68ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-pull-request.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68494, "scanner": "repobility-supply-chain", "fingerprint": "c93e9e07185229158bc9141ef4bb9078333b51208049409f94096be039be2aa8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c93e9e07185229158bc9141ef4bb9078333b51208049409f94096be039be2aa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68493, "scanner": "repobility-supply-chain", "fingerprint": "778ff3bde7833270a770dc6b7c7e1f54f6c26e52809e010cdc568903299e0570", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|778ff3bde7833270a770dc6b7c7e1f54f6c26e52809e010cdc568903299e0570"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68492, "scanner": "repobility-supply-chain", "fingerprint": "7473115cc3c537e172e1a7a3fbc62824b7ee7a1803566a95b0fdf8d8444b127f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7473115cc3c537e172e1a7a3fbc62824b7ee7a1803566a95b0fdf8d8444b127f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68491, "scanner": "repobility-supply-chain", "fingerprint": "812111484511edc636fa2b483d56d6b9a699f5d54a4022f1e7fe7011f78bb3e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|812111484511edc636fa2b483d56d6b9a699f5d54a4022f1e7fe7011f78bb3e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68490, "scanner": "repobility-supply-chain", "fingerprint": "6a4d21e8649a3aff869e647f702910252b7842c95c201221b415ccaf3ec34f49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a4d21e8649a3aff869e647f702910252b7842c95c201221b415ccaf3ec34f49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68489, "scanner": "repobility-supply-chain", "fingerprint": "166caf7c2eaa44589ffc05453e1fb4be94618c73e410d9578c7b0fd9b7043da8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|166caf7c2eaa44589ffc05453e1fb4be94618c73e410d9578c7b0fd9b7043da8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-deploy-snapshot.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68488, "scanner": "repobility-supply-chain", "fingerprint": "8d55747546289f14aedf6e260835ce027b6860a0de5fc3d1433ab8aea6e28929", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d55747546289f14aedf6e260835ce027b6860a0de5fc3d1433ab8aea6e28929"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-system-tests.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 68487, "scanner": "repobility-supply-chain", "fingerprint": "eb8a3531d781808a7f7680cb975352d2998d8c966a0061392aa493e8ea56f0de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb8a3531d781808a7f7680cb975352d2998d8c966a0061392aa493e8ea56f0de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/trigger-docs-build.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:noble-20250404` not pinned by digest: `FROM ubuntu:noble-20250404` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 68486, "scanner": "repobility-supply-chain", "fingerprint": "f1199a6421806c45aa9eec843a74140f758c66219764769cfeb8d61003976f83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1199a6421806c45aa9eec843a74140f758c66219764769cfeb8d61003976f83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-test/spring-boot-loader-integration-tests/src/dockerTest/resources/conf/oracle-jdk-17/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:noble-20250404` not pinned by digest: `FROM ubuntu:noble-20250404` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 68485, "scanner": "repobility-supply-chain", "fingerprint": "1bd28a843f3cea922151ebf7876c4b45a32cd88e27ef7b1a567597f396bdfc1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1bd28a843f3cea922151ebf7876c4b45a32cd88e27ef7b1a567597f396bdfc1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-test/spring-boot-loader-integration-tests/src/dockerTest/resources/conf/oracle-jdk-17/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `bellsoft/liberica-openjre-debian:25-cds` not pinned by digest: `FROM bellsoft/liberica-openjre-debian:25-cds` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 68484, "scanner": "repobility-supply-chain", "fingerprint": "b45889288c7373c7e5ecdefeb3178202d5239f97db673923af132854b7f0257d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b45889288c7373c7e5ecdefeb3178202d5239f97db673923af132854b7f0257d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/spring-boot-docs/src/docs/antora/modules/reference/partials/dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `bellsoft/liberica-openjre-debian:25-cds` not pinned by digest: `FROM bellsoft/liberica-openjre-debian:25-cds` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 68483, "scanner": "repobility-supply-chain", "fingerprint": "a3fecc4cfd081289d561af325f40d604a16efce1b94713c61e0f911334bbfb16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3fecc4cfd081289d561af325f40d604a16efce1b94713c61e0f911334bbfb16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/spring-boot-docs/src/docs/antora/modules/reference/partials/dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 68454, "scanner": "repobility-threat-engine", "fingerprint": "453e819f9747c6effe401154203d1b14b394ed0d9df50daeea626e8e4c6f7b64", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|453e819f9747c6effe401154203d1b14b394ed0d9df50daeea626e8e4c6f7b64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/io/quartz/MySampleJob.kt"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 68442, "scanner": "repobility-threat-engine", "fingerprint": "c33fd4cc7f22b3528b04a31d3e7c22af05d4825d7625c6c634e75384a7e2fb6c", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(host, request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|189|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/spring-boot-cli/src/main/java/org/springframework/boot/cli/command/init/InitializrService.java"}, "region": {"startLine": 189}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 68441, "scanner": "repobility-threat-engine", "fingerprint": "029d4e968055bbb36f23532253b25756cc889b7673687b63d777e2966221d321", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(this.host, request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|163|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildpack/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/transport/HttpClientTransport.java"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 68436, "scanner": "repobility-threat-engine", "fingerprint": "a46a3070b4eda2a2c8ca4120818df4b2f6b82d56e5d926f75f6b611cf07e1e87", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "inspector.update(b, off, len);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a46a3070b4eda2a2c8ca4120818df4b2f6b82d56e5d926f75f6b611cf07e1e87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildpack/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/io/InspectedContent.java"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 68435, "scanner": "repobility-threat-engine", "fingerprint": "e00a907ff70798f783adbca63b8d7184f183221e71375e6ec7ec767643023f53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Files.delete(this.tarFile);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e00a907ff70798f783adbca63b8d7184f183221e71375e6ec7ec767643023f53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildpack/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/ExportedImageTar.java"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 68434, "scanner": "repobility-threat-engine", "fingerprint": "452aabf0f179bc557fc495598c36fd4eb02090d31b61f435465f6e64b44a1763", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "repositories.extensions.create(\"spring\", SpringRepositoriesExtension.class, repositories, version,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|452aabf0f179bc557fc495598c36fd4eb02090d31b61f435465f6e64b44a1763"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/SpringRepositorySupport.groovy"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 68429, "scanner": "repobility-threat-engine", "fingerprint": "5dd1581fa582670c320b749c15f573f8ca7d2edf2e9ebf0d91f30e7678d4ca01", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5dd1581fa582670c320b749c15f573f8ca7d2edf2e9ebf0d91f30e7678d4ca01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/AbstractPackagerMojo.java"}, "region": {"startLine": 234}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 68427, "scanner": "repobility-threat-engine", "fingerprint": "e11bc5f90defc96c6912e2afb6bddd378473fbffcd02fbf1ca96816192bc46d0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e11bc5f90defc96c6912e2afb6bddd378473fbffcd02fbf1ca96816192bc46d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/SpringRepositorySupport.groovy"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 68426, "scanner": "repobility-threat-engine", "fingerprint": "4394f62e946d866573dfa206a55ff2306194cab4ea64e122e7ab17638391bc6a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4394f62e946d866573dfa206a55ff2306194cab4ea64e122e7ab17638391bc6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/SpringApplicationAdminClient.java"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 68425, "scanner": "repobility-threat-engine", "fingerprint": "ccca26d996b0e89d0db18fc7b06f443abb2bf58030bcdf8298423c9a48d8fe5a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ccca26d996b0e89d0db18fc7b06f443abb2bf58030bcdf8298423c9a48d8fe5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/AbstractDependencyFilterMojo.java"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 68455, "scanner": "repobility-threat-engine", "fingerprint": "449ddf58e19e065355afe0b25680f1fe4d0bfaea02759f13fe1fca209d72559f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|449ddf58e19e065355afe0b25680f1fe4d0bfaea02759f13fe1fca209d72559f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-test/spring-boot-server-integration-tests/src/intTest/java/org/springframework/boot/context/embedded/EmbeddedServerContainerInvocationContextProvider.java"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 68438, "scanner": "repobility-threat-engine", "fingerprint": "a5ade952eb0e66eea2e5722a76c9cb5e268957266e124d1f0c6753695b70f7ea", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5ade952eb0e66eea2e5722a76c9cb5e268957266e124d1f0c6753695b70f7ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/SpringRepositorySupport.groovy"}, "region": {"startLine": 60}}}]}]}]}