{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC101", "name": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes int", "shortDescription": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "fullDescription": {"text": "Avoid native Java serialization entirely. Use JSON (Jackson with default-typing OFF) or a length-limited Protobuf. If you must, set up a SerialKiller / lookahead-deserializer with a class allowlist."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/510"}, "properties": {"repository": "openjdk/jdk", "repoUrl": "https://github.com/openjdk/jdk.git", "branch": "master"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 30226, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 30225, "scanner": "repobility-threat-engine", "fingerprint": "d27dd0da4bd409a3c228df555713cb9eaa053d8ab45b57f0cb1943836dbe2376", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DEBUG = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d27dd0da4bd409a3c228df555713cb9eaa053d8ab45b57f0cb1943836dbe2376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/demo/share/jfc/SwingSet2/SwingSet2.java"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 30223, "scanner": "repobility-threat-engine", "fingerprint": "9815e472b4f9979e6d952b6043f874f22cc45664e29f78f234231f6f891299a1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * MAX_HUE);\n    priv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9815e472b4f9979e6d952b6043f874f22cc45664e29f78f234231f6f891299a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/demo/share/jfc/J2Ddemo/java2d/demos/Paint/GradAnim.java"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 30222, "scanner": "repobility-threat-engine", "fingerprint": "a40f213ac126c8eb5dbbd3a3501e866fb2cd074385a48d284ba81a8b4cd77a30", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() > 0.5 ? UP : DOWN;\n        }\n\n        priv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a40f213ac126c8eb5dbbd3a3501e866fb2cd074385a48d284ba81a8b4cd77a30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/demo/share/jfc/J2Ddemo/java2d/demos/Composite/FadeAnim.java"}, "region": {"startLine": 321}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30228, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5ed2210f2f9ca9e360a25cf83e4926cb7f2dbf1307245b2ae3d7e83abc61102", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hotspot/cpu/aarch64/gc/shared/barrierSetAssembler_aarch64.hpp", "duplicate_line": 13, "correlation_key": "fp|d5ed2210f2f9ca9e360a25cf83e4926cb7f2dbf1307245b2ae3d7e83abc61102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hotspot/cpu/aarch64/gc/z/zBarrierSetAssembler_aarch64.hpp"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30227, "scanner": "repobility-ai-code-hygiene", "fingerprint": "37c671a3fd538fe72d8c86417a210cc4ef0a4f579d7a2924d9aed247e10a4c6a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hotspot/cpu/aarch64/gc/g1/g1BarrierSetAssembler_aarch64.cpp", "duplicate_line": 322, "correlation_key": "fp|37c671a3fd538fe72d8c86417a210cc4ef0a4f579d7a2924d9aed247e10a4c6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hotspot/cpu/aarch64/gc/shenandoah/shenandoahBarrierSetAssembler_aarch64.cpp"}, "region": {"startLine": 422}}}]}, {"ruleId": "SEC101", "level": "error", "message": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "properties": {"repobilityId": 30224, "scanner": "repobility-threat-engine", "fingerprint": "47cca5d56c45d7c6be597e41dd7609bf239683d64bbf2e598baf8e382fbe1f3d", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new ObjectInputStream(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC101", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|297|sec101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/demo/share/jfc/Stylepad/Stylepad.java"}, "region": {"startLine": 297}}}]}]}]}