{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `rich` has no version pin: Unpinned pip requirement means every fresh install may resolve a", "shortDescription": {"text": "[MINED124] requirements.txt: `rich` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs"}, "fullDescription": {"text": "Replace `rich` with `rich==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `complex_function` (list): `def complex_function(... = []/{}/set())` \u2014 Python's d", "shortDescription": {"text": "[MINED109] Mutable default argument in `complex_function` (list): `def complex_function(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutate"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def complex_function(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `jaeger` image uses the latest tag", "shortDescription": {"text": "Compose service `jaeger` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Remove generated output from version control, add it to .gitignore and .dockerignore where relevant, and regenerate it in CI or release jobs."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 4 more): Same pattern found in 4 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 42 more): Same pattern found in 42 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.", "shortDescription": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED101", "name": "[MINED101] Rust Panic On Compile: Using `.expect()` on a compile-result causes a panic on failure, which can crash long-", "shortDescription": {"text": "[MINED101] Rust Panic On Compile: Using `.expect()` on a compile-result causes a panic on failure, which can crash long-running services unrecoverably. Propagate the error with `?` or handle it with `match` instead."}, "fullDescription": {"text": "Propagate the error: `let compiled = res.compile()?;`. Or match the result and log/return cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED070", "name": "[MINED070] Zig Undefined Init: var x: T = undefined leaves memory uninitialized. Often a foot-gun.", "shortDescription": {"text": "[MINED070] Zig Undefined Init: var x: T = undefined leaves memory uninitialized. Often a foot-gun."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 44 more): Same pattern found in 44 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 41 more): Same pattern found in 41 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 118 more): Same pattern found in 118 a", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 118 more): Same pattern found in 118 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 112 more): Same pattern found in 112 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 112 more): Same pattern found in 112 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 145 more): Same pattern found in 145 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 145 more): Same pattern found in 145 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 95 more): Same pattern found in 95 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 95 more): Same pattern found in 95 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `src/vs/workbench/contrib/terminal/common/scripts/psreadline/net6plus/Microsoft.PowerShell.PSRead", "shortDescription": {"text": "[MINED134] Binary file `src/vs/workbench/contrib/terminal/common/scripts/psreadline/net6plus/Microsoft.PowerShell.PSReadLine.Polyfiller.dll` committed in source repo: `src/vs/workbench/contrib/terminal/common/scripts/psreadline/net6plus/Mic"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/base:ubuntu` not pinned by digest: `FROM mcr.microsoft.com/d", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/base:ubuntu` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/base:ubuntu` resolves the tag at build time. The registry CAN re-push a different image for the same tag, s"}, "fullDescription": {"text": "Replace with: `FROM mcr.microsoft.com/devcontainers/base:ubuntu@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-node@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `keytar` pulled from URL/Git: `dependencies.keytar` = `file:./packageMocks/keytar` bypasses ", "shortDescription": {"text": "[MINED122] package.json dep `keytar` pulled from URL/Git: `dependencies.keytar` = `file:./packageMocks/keytar` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromise"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.imports` used but never assigned in __init__: Method `make_prompt_for_fct` of class `FunctionWithImport", "shortDescription": {"text": "[MINED108] `self.imports` used but never assigned in __init__: Method `make_prompt_for_fct` of class `FunctionWithImportsNamespacedInClasses` reads `self.imports`, but no assignment to it exists in __init__ (and no class-level fallback). Th"}, "fullDescription": {"text": "Initialize `self.imports = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC036", "name": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF ", "shortDescription": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-20"}, "fullDescription": {"text": "Strip `\\r\\n` before setting headers:\n  safe = value.replace('\\r','').replace('\\n','')\n  response.headers['X-Custom'] = safe\nMost modern frameworks (Django 3+, Express 4.10+) already do this \u2014 but custom header-setting code often doesn't. Prefer framework methods (`response.set_cookie`) over manual header dict assignment."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/720"}, "properties": {"repository": "microsoft/vscode", "repoUrl": "https://github.com/microsoft/vscode", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `rich` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 58616, "scanner": "repobility-supply-chain", "fingerprint": "cb49d7af334e12fc7dcb7f7f7ee95edcf28d4418e5b82a81e476d786a6a09c47", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb49d7af334e12fc7dcb7f7f7ee95edcf28d4418e5b82a81e476d786a6a09c47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/test/requirements.txt"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `tiktoken` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 58615, "scanner": "repobility-supply-chain", "fingerprint": "18e82c840979e5772e82f08161ee6860e6e6f1579d17d2a20fdb5bc22e592887", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18e82c840979e5772e82f08161ee6860e6e6f1579d17d2a20fdb5bc22e592887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/test/requirements.txt"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `ruff` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 58614, "scanner": "repobility-supply-chain", "fingerprint": "403d04444967aa9ff4a083b066cbba04f7be157f1001eaffaf9ccb6d6e3c257f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|403d04444967aa9ff4a083b066cbba04f7be157f1001eaffaf9ccb6d6e3c257f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/test/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `complex_function` (list): `def complex_function(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 58589, "scanner": "repobility-ast-engine", "fingerprint": "395164495fcb09a5bd73b2f448c2c22d24c011a44ea0c4009a3be22141feb598", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|395164495fcb09a5bd73b2f448c2c22d24c011a44ea0c4009a3be22141feb598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/test/simulation/fixtures/fixing/python/pylint_line_too_long_1.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 58585, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 58584, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 58579, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `jaeger` image uses the latest tag"}, "properties": {"repobilityId": 58576, "scanner": "repobility-docker", "fingerprint": "bee94875f95af6cea4d78da4a3717ca165fe8f62fa3a52a2d4d0f0571aa3893a", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "jaegertracing/jaeger:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bee94875f95af6cea4d78da4a3717ca165fe8f62fa3a52a2d4d0f0571aa3893a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/docs/monitoring/docker-compose.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `otel-collector` image uses the latest tag"}, "properties": {"repobilityId": 58573, "scanner": "repobility-docker", "fingerprint": "89c52eb95e36f0ada66efa1f9594ea1e50a12697545331eb54c47f63f9728f4a", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "otel/opentelemetry-collector-contrib:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|89c52eb95e36f0ada66efa1f9594ea1e50a12697545331eb54c47f63f9728f4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/docs/monitoring/docker-compose.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 58572, "scanner": "repobility-docker", "fingerprint": "43742b18202d9135276e406d5bbe541f3e638cd78de5820ba5b0bbcb53aa945e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/base:ubuntu", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|43742b18202d9135276e406d5bbe541f3e638cd78de5820ba5b0bbcb53aa945e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/vscode-colorize-tests/test/colorize-fixtures/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 58570, "scanner": "repobility-docker", "fingerprint": "31c7b0fde5206312bc19b788b8f88a7e44795a0ffb4d130ce5640e7ec0b42f6f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|31c7b0fde5206312bc19b788b8f88a7e44795a0ffb4d130ce5640e7ec0b42f6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/vscode-colorize-tests/test/colorize-fixtures/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 58568, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 58566, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "extensions/copilot/test/simulation/cache/base.sqlite", "size_mb": 0.0}, {"path": "extensions/copilot/test/simulation/cache/layers/1addc1e5-24d0-4fdd-8951-f7f59666e4e5.sqlite", "size_mb": 0.0}, {"path": "extensions/copilot/test/simulation/cache/layers/0fbe60af-6808-4958-ac2f-20162e06c077.sqlite", "size_mb": 0.0}, {"path": "extensions/copilot/test/simulation/cache/layers/1cf3aa34-24fc-4b0f-b58e-71a8c3ce6b44.sqlite", "size_mb": 0.0}, {"path": "extensions/copilot/test/simulation/cache/layers/e0bdf0eb-0e2c-40e7-9de4-729e9f6e7daa.sqlite", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58565, "scanner": "repobility-agent-runtime", "fingerprint": "08b6c50f367514e93464167366bab607d8c9f5c6550c7eeec3047dea43f242c5", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|08b6c50f367514e93464167366bab607d8c9f5c6550c7eeec3047dea43f242c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chatSessions/vscode-node/copilotCLIShim.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 58564, "scanner": "repobility-agent-runtime", "fingerprint": "0410670c47b28334dc8c501f436b45af3beacc70455a97edfce7b91b6110167b", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0410670c47b28334dc8c501f436b45af3beacc70455a97edfce7b91b6110167b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chatSessions/copilotcli/node/permissionHelpers.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58563, "scanner": "repobility-agent-runtime", "fingerprint": "63215c0f02473c6b92aedae013b58f4e379cfc9cea27f2b0d070a3b09f1aaa7e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|63215c0f02473c6b92aedae013b58f4e379cfc9cea27f2b0d070a3b09f1aaa7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-linux-cli-test.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 58543, "scanner": "repobility-threat-engine", "fingerprint": "61e2fa89a0bd1d8bd97d4b9a197e06949d43557959530ba00708e3842bb679e7", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp('(?:[a-zA-Z][a-zA-Z0-9+.-]{2,}:\\\\/\\\\/|data:|www\\\\.)[^\\\\s' + CONTROL_CODES + '\"]{2,}[^\\\\s'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61e2fa89a0bd1d8bd97d4b9a197e06949d43557959530ba00708e3842bb679e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/notebook-renderers/src/linkify.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 58535, "scanner": "repobility-threat-engine", "fingerprint": "cd324baa8068c96f3f8ea41767a29cdd7641f25dfeb30f77899758af4f155f59", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random();\n\n\t\t// Inactive survey check only runs once\n\t\tthis.inactiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd324baa8068c96f3f8ea41767a29cdd7641f25dfeb30f77899758af4f155f59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/platform/survey/vscode/surveyServiceImpl.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 58534, "scanner": "repobility-threat-engine", "fingerprint": "e67bb04d0f0eb475ef5ffffd1f5dc5369183b7d0273caad6765599c7316cee8a", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "sessionSeed = Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|51|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/platform/survey/vscode/surveyServiceImpl.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 58528, "scanner": "repobility-threat-engine", "fingerprint": "1e241e6474473da3c79197228ce6c22747357719c5a95e9f860ae838f452057f", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|107|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/intents/node/promptOverride.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 58526, "scanner": "repobility-threat-engine", "fingerprint": "bfa079ed1e7caf68d094955babf6778aa1fbc2f94226a018ec9caa0fb9aeebd9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (err) {\n\t\t\treturn [];\n\t\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bfa079ed1e7caf68d094955babf6778aa1fbc2f94226a018ec9caa0fb9aeebd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/prompts/node/panel/workspace/visualFileTree.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 58525, "scanner": "repobility-threat-engine", "fingerprint": "3eded8c088d1f9fb5cc89e6e9ab8f13c19a12f9b0258e196ac73019f4c44129b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n\t\t\t\treturn [];\n\t\t\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3eded8c088d1f9fb5cc89e6e9ab8f13c19a12f9b0258e196ac73019f4c44129b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/prompts/node/panel/referencesAtPosition.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 58524, "scanner": "repobility-threat-engine", "fingerprint": "9e77fcfc1a1abad6e7cc43c257a014358ceee8fdb35cde53d161fa272afebe88", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n\t\t\treturn [];\n\t\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9e77fcfc1a1abad6e7cc43c257a014358ceee8fdb35cde53d161fa272afebe88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/context/node/resolvers/vscodeContext.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 58523, "scanner": "repobility-threat-engine", "fingerprint": "ee978666a517884565cff5c43de9d5506c17d93904b92eb8bf24ad406572258c", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"${DOMPurify.sanitize(solution.citation.url)}\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|60|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/extension/src/copilotPanel/webView/suggestionsPanelWebview.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 58515, "scanner": "repobility-threat-engine", "fingerprint": "2ae04a1103eaaf2539d2748921bdb4bddc622bebcf288dc85a52186c5f2cc104", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => { })", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ae04a1103eaaf2539d2748921bdb4bddc622bebcf288dc85a52186c5f2cc104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/inlineEdits/vscode-node/components/logContextRecorder.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 58514, "scanner": "repobility-threat-engine", "fingerprint": "da2e66f8a47ffd553a0cd5ecfc9ad4a7ad63c1fc9cec9081c91892dc568e461c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) { }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da2e66f8a47ffd553a0cd5ecfc9ad4a7ad63c1fc9cec9081c91892dc568e461c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/conversation/vscode-node/feedbackReporter.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 58513, "scanner": "repobility-threat-engine", "fingerprint": "7ce61b85af7446b698df725bad6f9ec5ac1d396e84170c46df136d023cd7af6d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => { })", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ce61b85af7446b698df725bad6f9ec5ac1d396e84170c46df136d023cd7af6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chat/vscode-node/sessionTranscriptService.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 58512, "scanner": "repobility-threat-engine", "fingerprint": "36ab1ec0de10a918fca38da26b901fbaa8f59663f2fbf94d1d07b982c177a48f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server {\n\t\treturn http.createServer(async (req, res) => {\n\t\t\tthis.logService.trace(`Received re", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|36ab1ec0de10a918fca38da26b901fbaa8f59663f2fbf94d1d07b982c177a48f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/agents/node/langModelServer.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 58464, "scanner": "repobility-threat-engine", "fingerprint": "dde5d503a611baada226fb881fd46b6e20836fbd7477133116ce7262d23fbfc3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|115|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".vscode/extensions/vscode-selfhost-test-provider/src/failureTracker.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 58463, "scanner": "repobility-threat-engine", "fingerprint": "c4926bb1a4b00b8da2690e3e5cefcf7431dd4c1945efd9086a9186572c8c98bc", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|36|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/vscode-dts-vscode-in-comments.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 58462, "scanner": "repobility-threat-engine", "fingerprint": "9f1ca1f3f2dde5f5dabafaa03a8360bb41e4425460885142efc7ad5a8dc46dc7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|52|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/vscode-dts-event-naming.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 58583, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 58582, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 58581, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 58580, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58578, "scanner": "repobility-docker", "fingerprint": "22e90187af49be598b920d13c5e52bac149763df7a2811e995ba490782194bf3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|22e90187af49be598b920d13c5e52bac149763df7a2811e995ba490782194bf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/docs/monitoring/docker-compose.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58577, "scanner": "repobility-docker", "fingerprint": "df1ceda471780929406259d8c4fd9bdab0b2d8eb74284ca81121bc15ed617c47", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|df1ceda471780929406259d8c4fd9bdab0b2d8eb74284ca81121bc15ed617c47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/docs/monitoring/docker-compose.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 58575, "scanner": "repobility-docker", "fingerprint": "d4eca8853e5a4fb4403f930c7e9b309f6ebebf602e7b42b16bf5e0f2794364c7", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d4eca8853e5a4fb4403f930c7e9b309f6ebebf602e7b42b16bf5e0f2794364c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/docs/monitoring/docker-compose.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 58574, "scanner": "repobility-docker", "fingerprint": "8fc406f8c22c135d7800bee579f43f678a6072c8142afec9e0aaa59c64054898", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8fc406f8c22c135d7800bee579f43f678a6072c8142afec9e0aaa59c64054898"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/docs/monitoring/docker-compose.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 58571, "scanner": "repobility-docker", "fingerprint": "739634a028573fbb408ef306bf91e265453f0643156acb68c2842c13e824af45", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|739634a028573fbb408ef306bf91e265453f0643156acb68c2842c13e824af45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/vscode-colorize-tests/test/colorize-fixtures/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 58569, "scanner": "repobility-docker", "fingerprint": "f297ab4c347b4682011b62fb8cd7e51d50bf6b66f8d1d0803f72952895c26690", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f297ab4c347b4682011b62fb8cd7e51d50bf6b66f8d1d0803f72952895c26690"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/vscode-colorize-tests/test/colorize-fixtures/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58562, "scanner": "repobility-ai-code-hygiene", "fingerprint": "835a5a49df7de60a61f01df7f050d322df5a186556f145abf02392aa93bd240f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/completions-core/vscode-node/extension/src/panelShared/themes/abyss.ts", "duplicate_line": 284, "correlation_key": "fp|835a5a49df7de60a61f01df7f050d322df5a186556f145abf02392aa93bd240f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/extension/src/panelShared/themes/dark-hc.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58561, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c6edb09fa1464a018fe3f7c852c41c1499b3b312496030776679c198104abf2a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/chatSessions/vscode-node/chatSessionWorkspaceFolderServiceImpl.ts", "duplicate_line": 211, "correlation_key": "fp|c6edb09fa1464a018fe3f7c852c41c1499b3b312496030776679c198104abf2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chatSessions/vscode-node/claudeWorkspaceFolderServiceImpl.ts"}, "region": {"startLine": 160}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58560, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a42d59f4c9d86580685194faca98b7a5ecf00ee7ded76cb550cb184a3eed023", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/chatSessions/vscode-node/chatSessionWorkspaceFolderServiceImpl.ts", "duplicate_line": 211, "correlation_key": "fp|0a42d59f4c9d86580685194faca98b7a5ecf00ee7ded76cb550cb184a3eed023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chatSessions/vscode-node/chatSessionWorktreeServiceImpl.ts"}, "region": {"startLine": 589}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58559, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0121937615d2d90f21420b74372a3841f66317479ace4af924c9bdb1859c1bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/chatSessions/claude/node/claudeCodeFolderMru.ts", "duplicate_line": 51, "correlation_key": "fp|b0121937615d2d90f21420b74372a3841f66317479ace4af924c9bdb1859c1bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chatSessions/copilotcli/vscode-node/copilotCLIFolderMru.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58558, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6cce4eb07983319ed7f4824de98b8ae6738d477138c4973aa85525072e22c2a0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/chatSessions/copilotcli/node/nodePtyShim.ts", "duplicate_line": 85, "correlation_key": "fp|6cce4eb07983319ed7f4824de98b8ae6738d477138c4973aa85525072e22c2a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chatSessions/copilotcli/node/ripgrepShim.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58557, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc4c8f1d3917ec435d688a0154f76c496ecfcd7e9a75dc947b3cd6bee5e1bafe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/agents/node/langModelServer.ts", "duplicate_line": 105, "correlation_key": "fp|bc4c8f1d3917ec435d688a0154f76c496ecfcd7e9a75dc947b3cd6bee5e1bafe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chatSessions/claude/node/claudeLanguageModelServer.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58556, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af0c47f6690edc9109360a60e0c2041e389fbfca40be8fb16bbe06bd717dee9c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/byok/vscode-node/customEndpointProvider.ts", "duplicate_line": 160, "correlation_key": "fp|af0c47f6690edc9109360a60e0c2041e389fbfca40be8fb16bbe06bd717dee9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/byok/vscode-node/openRouterProvider.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58555, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9ea412ab55fa2ee0d4b2923d16b2bb59eae876b71eb7d2966ec68d13fe02e00", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/byok/vscode-node/anthropicProvider.ts", "duplicate_line": 268, "correlation_key": "fp|b9ea412ab55fa2ee0d4b2923d16b2bb59eae876b71eb7d2966ec68d13fe02e00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/byok/vscode-node/geminiNativeProvider.ts"}, "region": {"startLine": 166}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58554, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4422898cbdfd32f64d86e94f4aa8b35eb295569aa4a2f0db99eefc51621880c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/byok/vscode-node/customEndpointProvider.ts", "duplicate_line": 72, "correlation_key": "fp|4422898cbdfd32f64d86e94f4aa8b35eb295569aa4a2f0db99eefc51621880c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/byok/vscode-node/customOAIProvider.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58553, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bfc07ee0798aab06bceec85ce1ae35b47e4f01f8089e0f26efbbfb9f45d3cbca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/byok/common/anthropicMessageConverter.ts", "duplicate_line": 124, "correlation_key": "fp|bfc07ee0798aab06bceec85ce1ae35b47e4f01f8089e0f26efbbfb9f45d3cbca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/byok/common/geminiMessageConverter.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58552, "scanner": "repobility-ai-code-hygiene", "fingerprint": "588612ef08eb61e0bfedd105be0920db0e31c426ded343484e71c7f6cdbbf39a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extensions/copilot/src/extension/agents/vscode-node/askAgentProvider.ts", "duplicate_line": 38, "correlation_key": "fp|588612ef08eb61e0bfedd105be0920db0e31c426ded343484e71c7f6cdbbf39a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/agents/vscode-node/exploreAgentProvider.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58551, "scanner": "repobility-ai-code-hygiene", "fingerprint": "62cd7e8d5a5b5bd8c245182c58381d8ae3eb1122c62d6224c327c08404f8816a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".eslint-plugin-local/code-no-runtime-import.ts", "duplicate_line": 42, "correlation_key": "fp|62cd7e8d5a5b5bd8c245182c58381d8ae3eb1122c62d6224c327c08404f8816a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.eslintplugin/no-runtime-import.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58550, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8f663b9fc5c80fe782fa9baaf92774eb30896c3f2a839f6649377d970532ff6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".eslint-plugin-local/code-limited-top-functions.ts", "duplicate_line": 9, "correlation_key": "fp|d8f663b9fc5c80fe782fa9baaf92774eb30896c3f2a839f6649377d970532ff6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-no-runtime-import.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58549, "scanner": "repobility-ai-code-hygiene", "fingerprint": "52ee256e733027324fc918eee2be302bd6bb12d8fd38177db49be0bc4080ecf7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".eslint-plugin-local/code-no-observable-get-in-reactive-context.ts", "duplicate_line": 18, "correlation_key": "fp|52ee256e733027324fc918eee2be302bd6bb12d8fd38177db49be0bc4080ecf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-no-reader-after-await.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 58548, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74d49067309931cbf890df5d58ede3d11bafb45709cde5f025bdb4ccdeeb037a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|74d49067309931cbf890df5d58ede3d11bafb45709cde5f025bdb4ccdeeb037a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/xterm-update.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 58547, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edeb6898982a7cf72f6618b23f557f22a135f7424e0d401a694acbe163a23f76", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|edeb6898982a7cf72f6618b23f557f22a135f7424e0d401a694acbe163a23f76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/self_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 58546, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "build", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 58521, "scanner": "repobility-threat-engine", "fingerprint": "d686e0f5a9e5ad0488d659f9d4b18eefd781a871ef472d8b2fac9ca2a8c1bd57", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = c", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|44|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/mermaid-markdown-features/preview-src/markdown/index.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 58520, "scanner": "repobility-threat-engine", "fingerprint": "681110bdd9f9271d20d6818426c61cec46b8233a58bc5daee564c7fa50cdb7c4", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = (", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|339|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/markdown-language-features/notebook/index.ts"}, "region": {"startLine": 339}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 58519, "scanner": "repobility-threat-engine", "fingerprint": "240a69746f33074fc505a53ccc8c1f97e4300ae6733c9786227a7c6fdd3f283a", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = m", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|54|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/extension/src/copilotPanel/webView/suggestionsPanelWebview.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 58541, "scanner": "repobility-threat-engine", "fingerprint": "9d09085a62f5d2dbdd36535f5fd5dba87bc903f20f48c46050db095c0a21fb0a", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9d09085a62f5d2dbdd36535f5fd5dba87bc903f20f48c46050db095c0a21fb0a"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 58540, "scanner": "repobility-threat-engine", "fingerprint": "90c681d404b9c49355ece9d8f4951a81f9ff1b02769c5f048f96a0138f788910", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|11|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/markdown-language-features/src/util/uuid.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 58539, "scanner": "repobility-threat-engine", "fingerprint": "27e60394aaaf670e04b9474657d27ff2ca4765c16346941f1a0fe10eeba75cae", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|156|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/ipynb/src/helper.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 58538, "scanner": "repobility-threat-engine", "fingerprint": "12a95c7417e1677797cff14bf8bc4b6590d913ce50deaed3bc55208746727550", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|18|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/util/vs/base/common/uuid.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 58537, "scanner": "repobility-threat-engine", "fingerprint": "753793fca8dfa24a0e15b34146993167824446c37b27a9a63250a0653e123a9f", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "evidence": {"match": "exec(input", "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|73|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/util/vs/base/common/iconLabels.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 58527, "scanner": "repobility-threat-engine", "fingerprint": "8e478e56b730255b619eaaf214c2ac68864bd09b58591d59c20fe11bd4508abd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8e478e56b730255b619eaaf214c2ac68864bd09b58591d59c20fe11bd4508abd"}}}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 58522, "scanner": "repobility-threat-engine", "fingerprint": "d62afa18f06a325cee859bfc8963ff1f72b12cc2df69d78422fa7b9f881be030", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d62afa18f06a325cee859bfc8963ff1f72b12cc2df69d78422fa7b9f881be030"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 58516, "scanner": "repobility-threat-engine", "fingerprint": "42b331c1e4b17f85d81db72d75262314338abed6e5bfedff208d2157846ef882", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|42b331c1e4b17f85d81db72d75262314338abed6e5bfedff208d2157846ef882"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 58509, "scanner": "repobility-threat-engine", "fingerprint": "588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|588cbe6635e9107e3f4226ff395bb9d3b8dbc57f8977957784281db9e5f71589"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 58505, "scanner": "repobility-threat-engine", "fingerprint": "023ef0be74fff5a69309e61ef7d7e8b28fe7ab2b73f68b4c2bb5dc0ac02f58a4", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|023ef0be74fff5a69309e61ef7d7e8b28fe7ab2b73f68b4c2bb5dc0ac02f58a4"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 58501, "scanner": "repobility-threat-engine", "fingerprint": "60a8c503e09b605a5af190b3eefa26509af2ae1d7880e68282f5489a33bb7a5e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60a8c503e09b605a5af190b3eefa26509af2ae1d7880e68282f5489a33bb7a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/php-language-features/src/features/utils/markedTextUtil.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 58500, "scanner": "repobility-threat-engine", "fingerprint": "f7bc38adb86f1b6aad73c47e48fcf6829de1f59f664ce1b9a161b2bc07adac3e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f7bc38adb86f1b6aad73c47e48fcf6829de1f59f664ce1b9a161b2bc07adac3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/github-authentication/src/node/authServer.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 58499, "scanner": "repobility-threat-engine", "fingerprint": "60b9047ff83326360f86bb537cde5c0972e1a40cba086f01d4dff3216dae1842", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60b9047ff83326360f86bb537cde5c0972e1a40cba086f01d4dff3216dae1842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/tunnels/service_macos.rs"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 58498, "scanner": "repobility-threat-engine", "fingerprint": "8f4ac72a19e9fedd3fb4e2e780ef0810015238b2711ea7fbeca406f8654cbf0b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f4ac72a19e9fedd3fb4e2e780ef0810015238b2711ea7fbeca406f8654cbf0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/util/http.rs"}, "region": {"startLine": 315}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 58497, "scanner": "repobility-threat-engine", "fingerprint": "aa28b764a7630268af44f76a6cda38934f296826eded9617d4108754b26aacff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa28b764a7630268af44f76a6cda38934f296826eded9617d4108754b26aacff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/singleton.rs"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 58496, "scanner": "repobility-threat-engine", "fingerprint": "31cfe034f7d93b016997e51d1d01d0ffe0ab1f2b5cee2c8edd914a92a3c53c4c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|31cfe034f7d93b016997e51d1d01d0ffe0ab1f2b5cee2c8edd914a92a3c53c4c", "aggregated_count": 6}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 58495, "scanner": "repobility-threat-engine", "fingerprint": "fcebea7573c91fafcedbba43b2db70ff067ac212e871de882e11bf1234ff7fe1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fcebea7573c91fafcedbba43b2db70ff067ac212e871de882e11bf1234ff7fe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/tunnels/nosleep_macos.rs"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 58494, "scanner": "repobility-threat-engine", "fingerprint": "8ad8ac973687074a2661a32434220f79d2bb6645f120f2a4dd30f8a2a44264ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8ad8ac973687074a2661a32434220f79d2bb6645f120f2a4dd30f8a2a44264ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/self_update.rs"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 58493, "scanner": "repobility-threat-engine", "fingerprint": "639444271b4c3f9636bc7944b151e585a210c3982e3a970481502e4e9caa99f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|639444271b4c3f9636bc7944b151e585a210c3982e3a970481502e4e9caa99f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/output.rs"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED101", "level": "none", "message": {"text": "[MINED101] Rust Panic On Compile: Using `.expect()` on a compile-result causes a panic on failure, which can crash long-running services unrecoverably. Propagate the error with `?` or handle it with `match` instead."}, "properties": {"repobilityId": 58492, "scanner": "repobility-threat-engine", "fingerprint": "c4f458d3ddb830f88ae0edec6dcb0d8a0a4e35f62326712bc1ea260132ad963d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "panic-on-compile", "owasp": null, "cwe_ids": [], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 7, "observations_count": 53, "ai_coder_pattern_id": 53}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c4f458d3ddb830f88ae0edec6dcb0d8a0a4e35f62326712bc1ea260132ad963d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/build.rs"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 58491, "scanner": "repobility-threat-engine", "fingerprint": "226c8f2d31fb96ab1ed08ceb96978fac4a1a140d291f983d64ccef551161e2a3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|226c8f2d31fb96ab1ed08ceb96978fac4a1a140d291f983d64ccef551161e2a3", "aggregated_count": 4}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 58490, "scanner": "repobility-threat-engine", "fingerprint": "5947ef95ffae73a0b85523916671c3853c33a0c8bc1008616c7483983c6940ff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5947ef95ffae73a0b85523916671c3853c33a0c8bc1008616c7483983c6940ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/msgpack_rpc.rs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 58489, "scanner": "repobility-threat-engine", "fingerprint": "59782d9ba36e46bacead8138813459b8f62e6105efdc8648e854f3c9e060f5c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59782d9ba36e46bacead8138813459b8f62e6105efdc8648e854f3c9e060f5c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/log.rs"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 58488, "scanner": "repobility-threat-engine", "fingerprint": "8f526a30439af5c70329cb787989a93bee8e07d8674dae69a03a4b7ae3865e70", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f526a30439af5c70329cb787989a93bee8e07d8674dae69a03a4b7ae3865e70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/build.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 58487, "scanner": "repobility-threat-engine", "fingerprint": "39b5cf82cd91cf85d465f0290cde0c40bcf7e46710436118b4b94482519432c6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|39b5cf82cd91cf85d465f0290cde0c40bcf7e46710436118b4b94482519432c6", "aggregated_count": 19}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 58483, "scanner": "repobility-threat-engine", "fingerprint": "83b25842885701f19691b74e972e4bf4bae6f6b6f83a44e3c40c546d16993543", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83b25842885701f19691b74e972e4bf4bae6f6b6f83a44e3c40c546d16993543"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".vscode/extensions/vscode-extras/src/npmUpToDateFeature.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED070", "level": "none", "message": {"text": "[MINED070] Zig Undefined Init: var x: T = undefined leaves memory uninitialized. Often a foot-gun."}, "properties": {"repobilityId": 58482, "scanner": "repobility-threat-engine", "fingerprint": "b6508c9f79947cd1805dae6c1d7d50e91cf5e8e17a7854ceb529ae14ef1d109b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "zig-undefined-init", "owasp": null, "cwe_ids": [], "languages": ["zig"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348065+00:00", "triaged_in_corpus": 12, "observations_count": 36548, "ai_coder_pattern_id": 171}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6508c9f79947cd1805dae6c1d7d50e91cf5e8e17a7854ceb529ae14ef1d109b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/script/setup/createVenv.mts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED070", "level": "none", "message": {"text": "[MINED070] Zig Undefined Init: var x: T = undefined leaves memory uninitialized. Often a foot-gun."}, "properties": {"repobilityId": 58481, "scanner": "repobility-threat-engine", "fingerprint": "1013e38c85fefbc6c9707210028ada5af329764bcd6d3c3dc64fe7738049ec84", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "zig-undefined-init", "owasp": null, "cwe_ids": [], "languages": ["zig"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348065+00:00", "triaged_in_corpus": 12, "observations_count": 36548, "ai_coder_pattern_id": 171}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1013e38c85fefbc6c9707210028ada5af329764bcd6d3c3dc64fe7738049ec84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/auto-perf-optimize/scripts/userDataProfile.mts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 58480, "scanner": "repobility-threat-engine", "fingerprint": "52a08b5c11722a3b6127b10b730fd43760404fef43a1fac05334a8d1080b24be", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52a08b5c11722a3b6127b10b730fd43760404fef43a1fac05334a8d1080b24be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/script/setup/getToken.mts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 58479, "scanner": "repobility-threat-engine", "fingerprint": "665dede49f3312a00d40554a516787905589ec65be61c60f427c97fd14dd2704", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|665dede49f3312a00d40554a516787905589ec65be61c60f427c97fd14dd2704"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/script/setup/getEnv.mts"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 58478, "scanner": "repobility-threat-engine", "fingerprint": "605f054521fc85317eec8b56243e204927c61ee18aade22b78f0ac840674fdb6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|605f054521fc85317eec8b56243e204927c61ee18aade22b78f0ac840674fdb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/auto-perf-optimize/scripts/userDataProfile.mts"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 58477, "scanner": "repobility-threat-engine", "fingerprint": "b8f6476b40c6b0c117c62705cc8affa9b98ac771199163ac6db926e38da22eac", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b8f6476b40c6b0c117c62705cc8affa9b98ac771199163ac6db926e38da22eac", "aggregated_count": 1}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 58476, "scanner": "repobility-threat-engine", "fingerprint": "edda127f695fc736dc10e215d0d7b9f2537d9f0fc416401ece19a58eabfd99cc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|edda127f695fc736dc10e215d0d7b9f2537d9f0fc416401ece19a58eabfd99cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/script/setup/getToken.mts"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 58475, "scanner": "repobility-threat-engine", "fingerprint": "e9e4ef726c648fceba52f00a75ff1dae31001099991b40b6cda788ad8cb7c1dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e9e4ef726c648fceba52f00a75ff1dae31001099991b40b6cda788ad8cb7c1dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/script/setup/getEnv.mts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 58474, "scanner": "repobility-threat-engine", "fingerprint": "737c1c0079f346db00b8e67cd92b3781fbca07e6ec0e7d18f9e4841d5d127a08", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|737c1c0079f346db00b8e67cd92b3781fbca07e6ec0e7d18f9e4841d5d127a08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/auto-perf-optimize/scripts/userDataProfile.mts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "properties": {"repobilityId": 58473, "scanner": "repobility-threat-engine", "fingerprint": "457224bd146d8776166a94137f2060577285b7831ccf1768f69e12757954c925", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|457224bd146d8776166a94137f2060577285b7831ccf1768f69e12757954c925"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 58469, "scanner": "repobility-threat-engine", "fingerprint": "307b83d0878b11fa19a7733164345f24af7c2d92857c6a47165c71bc989c75ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|307b83d0878b11fa19a7733164345f24af7c2d92857c6a47165c71bc989c75ca"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "properties": {"repobilityId": 58465, "scanner": "repobility-threat-engine", "fingerprint": "047d8b1fce78b61af11162f3a86ebeabf6538da6bc5558d174de0577540bfd57", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|047d8b1fce78b61af11162f3a86ebeabf6538da6bc5558d174de0577540bfd57"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 58460, "scanner": "repobility-threat-engine", "fingerprint": "3427c09dea3b24ea98bc4907acdb7e171845a1948204edcfe7c1fbd55a667328", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require(path", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|3427c09dea3b24ea98bc4907acdb7e171845a1948204edcfe7c1fbd55a667328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/platform/telemetry/vscode-node/microsoftExperimentationService.ts"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "properties": {"repobilityId": 58458, "scanner": "repobility-threat-engine", "fingerprint": "3d23fbf57ca173f5122abceb11328910b732688570c4d51c116cb25d1222ecbf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d23fbf57ca173f5122abceb11328910b732688570c4d51c116cb25d1222ecbf", "aggregated_count": 41}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 58457, "scanner": "repobility-threat-engine", "fingerprint": "4daae48caa2a35c651b61897d9b7c5c1d96d62450fb7b25ce0f873ef34ee0125", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4daae48caa2a35c651b61897d9b7c5c1d96d62450fb7b25ce0f873ef34ee0125"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/script/setup/getToken.mts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 58456, "scanner": "repobility-threat-engine", "fingerprint": "af5dd191738acea7ad6c1031fec75d2658f322fef9f60d7a4241de5d1b8ff5ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af5dd191738acea7ad6c1031fec75d2658f322fef9f60d7a4241de5d1b8ff5ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.eslintplugin/no-gdpr-event-name-mismatch.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 58455, "scanner": "repobility-threat-engine", "fingerprint": "10d588afc53e2212006669dc6771fa1109c74a515fd39594f60dbe0929d718e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10d588afc53e2212006669dc6771fa1109c74a515fd39594f60dbe0929d718e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-policy-localization-key-match.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 118 more): Same pattern found in 118 additional files. Review if needed."}, "properties": {"repobilityId": 58454, "scanner": "repobility-threat-engine", "fingerprint": "8a9373cd288c81ee190f3d17fadecbbb6845d3805e3fad77222d3a7f19ab3b0b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 118 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 118 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a9373cd288c81ee190f3d17fadecbbb6845d3805e3fad77222d3a7f19ab3b0b"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 112 more): Same pattern found in 112 additional files. Review if needed."}, "properties": {"repobilityId": 58450, "scanner": "repobility-threat-engine", "fingerprint": "3d25afe9849c753557d5cb681b9f181580cfacb5ac07c278b57fb63f4d49bcef", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 112 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d25afe9849c753557d5cb681b9f181580cfacb5ac07c278b57fb63f4d49bcef", "aggregated_count": 112}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 58449, "scanner": "repobility-threat-engine", "fingerprint": "cd72f5c8ce8a4d65bac7c35aa464a657aec2f6f12edccb682eff982a271626d5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd72f5c8ce8a4d65bac7c35aa464a657aec2f6f12edccb682eff982a271626d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-no-icons-in-localized-strings.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 58448, "scanner": "repobility-threat-engine", "fingerprint": "6a31099014515c355a9bbd48073acbfb32ac7234e6b61935724758016b31bf5f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a31099014515c355a9bbd48073acbfb32ac7234e6b61935724758016b31bf5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-no-global-document-listener.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 58447, "scanner": "repobility-threat-engine", "fingerprint": "d8f7b7118dbc176e87453bd4e754e4e3c6bc9d2bcdea60caf587bb7703824966", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8f7b7118dbc176e87453bd4e754e4e3c6bc9d2bcdea60caf587bb7703824966"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-no-declare-const-enum.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 145 more): Same pattern found in 145 additional files. Review if needed."}, "properties": {"repobilityId": 58446, "scanner": "repobility-threat-engine", "fingerprint": "54b769065bdb956d0a2cdc8644aea5668d4513e8e489c3e61a556daee3942cf0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 145 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|54b769065bdb956d0a2cdc8644aea5668d4513e8e489c3e61a556daee3942cf0", "aggregated_count": 145}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 58445, "scanner": "repobility-threat-engine", "fingerprint": "bb0a13f8ca26b87605a0122e44fa108589f593e21694265520a8e84b47a5ee81", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb0a13f8ca26b87605a0122e44fa108589f593e21694265520a8e84b47a5ee81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-no-runtime-import.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 58444, "scanner": "repobility-threat-engine", "fingerprint": "79ce57523052a486bafc5bd2050ed82151c0d73dff7f4ca04450eb842cee0756", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79ce57523052a486bafc5bd2050ed82151c0d73dff7f4ca04450eb842cee0756"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-layering.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 58443, "scanner": "repobility-threat-engine", "fingerprint": "d16d5f3ebf58c0036eb273a89a48e422c3b9b6819d4ef2bad96fba04121825b6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d16d5f3ebf58c0036eb273a89a48e422c3b9b6819d4ef2bad96fba04121825b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-import-patterns.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 95 more): Same pattern found in 95 additional files. Review if needed."}, "properties": {"repobilityId": 58442, "scanner": "repobility-threat-engine", "fingerprint": "78c9ea3123966a2ab9ee5a3c5f5ab5c15442e7a6dec6e7e12fefbcc6f5e0cfcb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 95 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|78c9ea3123966a2ab9ee5a3c5f5ab5c15442e7a6dec6e7e12fefbcc6f5e0cfcb", "aggregated_count": 95}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 58441, "scanner": "repobility-threat-engine", "fingerprint": "b8e6c507dd92ef6d05e1c0915ad1e4d87173e635c4911cffbaa55b21f529087b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8e6c507dd92ef6d05e1c0915ad1e4d87173e635c4911cffbaa55b21f529087b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/auto-perf-optimize/scripts/userDataProfile.mts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 58440, "scanner": "repobility-threat-engine", "fingerprint": "c846159f21daa69d0a3ee92d567e927fa700827dfb8840197ccbe7d00519415e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c846159f21daa69d0a3ee92d567e927fa700827dfb8840197ccbe7d00519415e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-translation-remind.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 58439, "scanner": "repobility-threat-engine", "fingerprint": "15cb95107fc87270b740090f419fbba0e98f41af929d8c777a8d9e6b365b24d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15cb95107fc87270b740090f419fbba0e98f41af929d8c777a8d9e6b365b24d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-amd-node-module.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 58438, "scanner": "repobility-threat-engine", "fingerprint": "85f6e149491b106b778d3023521ac1a6df7b2e25c95618240e31ca0c355a5634", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|85f6e149491b106b778d3023521ac1a6df7b2e25c95618240e31ca0c355a5634"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 58437, "scanner": "repobility-threat-engine", "fingerprint": "22f3228fef9a500ed81e76421f4aaed1fdf0ef6ee2621d91d217f886bcd97de4", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(`[code] seed copy target may contain auth secrets: ${userDataDir}`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|7|console.log code seed copy target may contain auth secrets: userdatadir"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/auto-perf-optimize/scripts/userDataProfile.mts"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/vs/workbench/contrib/terminal/common/scripts/psreadline/net6plus/Microsoft.PowerShell.PSReadLine.Polyfiller.dll` committed in source repo: `src/vs/workbench/contrib/terminal/common/scripts/psreadline/net6plus/Microsoft.PowerShell.PSReadLine.Polyfiller.dll` is a .dll binary (4,608 bytes) committed to a repo that otherwise has 11076 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in"}, "properties": {"repobilityId": 58646, "scanner": "repobility-supply-chain", "fingerprint": "44152499c7da7dc464110033441bbeab4c3ee2b438a954beb552366b0dc8c243", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44152499c7da7dc464110033441bbeab4c3ee2b438a954beb552366b0dc8c243"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/vs/workbench/contrib/terminal/common/scripts/psreadline/net6plus/Microsoft.PowerShell.PSReadLine.Polyfiller.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/vs/workbench/contrib/terminal/common/scripts/psreadline/netstd/Microsoft.PowerShell.PSReadLine.Polyfiller.dll` committed in source repo: `src/vs/workbench/contrib/terminal/common/scripts/psreadline/netstd/Microsoft.PowerShell.PSReadLine.Polyfiller.dll` is a .dll binary (6,656 bytes) committed to a repo that otherwise has 11076 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a b"}, "properties": {"repobilityId": 58645, "scanner": "repobility-supply-chain", "fingerprint": "6b17dc686e4d09a1a411fa43ea3dbd25b48eeaa9c137592d507c857ff1aff298", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b17dc686e4d09a1a411fa43ea3dbd25b48eeaa9c137592d507c857ff1aff298"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/vs/workbench/contrib/terminal/common/scripts/psreadline/netstd/Microsoft.PowerShell.PSReadLine.Polyfiller.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/vs/workbench/contrib/terminal/common/scripts/psreadline/Microsoft.PowerShell.Pager.dll` committed in source repo: `src/vs/workbench/contrib/terminal/common/scripts/psreadline/Microsoft.PowerShell.Pager.dll` is a .dll binary (16,784 bytes) committed to a repo that otherwise has 11076 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 58644, "scanner": "repobility-supply-chain", "fingerprint": "425ea39673a5fd8604a1b118a15083962b256fc373b8f238e281f7c4e5a444ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|425ea39673a5fd8604a1b118a15083962b256fc373b8f238e281f7c4e5a444ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/vs/workbench/contrib/terminal/common/scripts/psreadline/Microsoft.PowerShell.Pager.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/vs/workbench/contrib/terminal/common/scripts/psreadline/Microsoft.PowerShell.PSReadLine.dll` committed in source repo: `src/vs/workbench/contrib/terminal/common/scripts/psreadline/Microsoft.PowerShell.PSReadLine.dll` is a .dll binary (329,216 bytes) committed to a repo that otherwise has 11076 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build "}, "properties": {"repobilityId": 58643, "scanner": "repobility-supply-chain", "fingerprint": "6be16da51a26cea8c97cc8c7b63cf79f05e0285f75f4a0f864215301c4ff73fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6be16da51a26cea8c97cc8c7b63cf79f05e0285f75f4a0f864215301c4ff73fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/vs/workbench/contrib/terminal/common/scripts/psreadline/Microsoft.PowerShell.PSReadLine.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/base:ubuntu` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/base:ubuntu` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 58642, "scanner": "repobility-supply-chain", "fingerprint": "7075d13b48a6329a650ec3e1c9412da4be046a8b2f23657612c1677922994220", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7075d13b48a6329a650ec3e1c9412da4be046a8b2f23657612c1677922994220"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/vscode-colorize-tests/test/colorize-fixtures/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58641, "scanner": "repobility-supply-chain", "fingerprint": "a966ffbcc5bc5fa4e3c79e162dc7be38083b03acdc93bfd32dd8ee7eaa94bafc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a966ffbcc5bc5fa4e3c79e162dc7be38083b03acdc93bfd32dd8ee7eaa94bafc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58640, "scanner": "repobility-supply-chain", "fingerprint": "cf42b9146347ffa6215565d1b742a1fad29ea17d4047384b51ca7d32039563df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf42b9146347ffa6215565d1b742a1fad29ea17d4047384b51ca7d32039563df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58639, "scanner": "repobility-supply-chain", "fingerprint": "93a7f518af43be608bb9c42281dbd18a0570914b1cfdcc1adf7f454b997ef08c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93a7f518af43be608bb9c42281dbd18a0570914b1cfdcc1adf7f454b997ef08c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v5`: `uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58638, "scanner": "repobility-supply-chain", "fingerprint": "ab9434f5c10263c8627b23ed6b85def0671fcb720efea734e9397a4ae44e552b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab9434f5c10263c8627b23ed6b85def0671fcb720efea734e9397a4ae44e552b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58637, "scanner": "repobility-supply-chain", "fingerprint": "eb4379a654e4a450ca00ba3148f81988143d8d3eb94627a8c33f220cee77b3c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb4379a654e4a450ca00ba3148f81988143d8d3eb94627a8c33f220cee77b3c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58636, "scanner": "repobility-supply-chain", "fingerprint": "68de9d4e0652d30d9e3057498d0ab5089353f30e70f4322d615d94712f7a5ed6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68de9d4e0652d30d9e3057498d0ab5089353f30e70f4322d615d94712f7a5ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58635, "scanner": "repobility-supply-chain", "fingerprint": "9c34e1c34c6c8a785e8475fdd353aae973c914cbd0d320b16783e354b0bf52a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c34e1c34c6c8a785e8475fdd353aae973c914cbd0d320b16783e354b0bf52a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58634, "scanner": "repobility-supply-chain", "fingerprint": "1c4ea8cd8164d59e904e7ab6014d3ceb93b82f4fe0b9fc64e5fea56955318d69", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c4ea8cd8164d59e904e7ab6014d3ceb93b82f4fe0b9fc64e5fea56955318d69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58633, "scanner": "repobility-supply-chain", "fingerprint": "6e9e09cee9bd4e8c552c425428f28b85ac9c7ff4a4273875981dc40cb73bc949", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e9e09cee9bd4e8c552c425428f28b85ac9c7ff4a4273875981dc40cb73bc949"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58632, "scanner": "repobility-supply-chain", "fingerprint": "0bb2655d0bb0d2627d66224bc9328244ad2e7743412d7af7606a15e6ccf02c8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0bb2655d0bb0d2627d66224bc9328244ad2e7743412d7af7606a15e6ccf02c8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v5`: `uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58631, "scanner": "repobility-supply-chain", "fingerprint": "0a126721488e4628d8d87546816ed99689cfcfe484be00b6165d3f5798e10747", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a126721488e4628d8d87546816ed99689cfcfe484be00b6165d3f5798e10747"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58630, "scanner": "repobility-supply-chain", "fingerprint": "b403f736337727fa842d9cbb78005ee511f826b8182a985d15f98b8fa1ae63a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b403f736337727fa842d9cbb78005ee511f826b8182a985d15f98b8fa1ae63a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58629, "scanner": "repobility-supply-chain", "fingerprint": "ada15f85735eb3625700ec5ee5097f406e991637658e05ab8a6f772e60004393", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ada15f85735eb3625700ec5ee5097f406e991637658e05ab8a6f772e60004393"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/pr.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v5`: `uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58628, "scanner": "repobility-supply-chain", "fingerprint": "69042ac5c59c8355720e1de309405acd1c053abcf057dae60d6d1731125147ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|69042ac5c59c8355720e1de309405acd1c053abcf057dae60d6d1731125147ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58627, "scanner": "repobility-supply-chain", "fingerprint": "15e5beb14094d888455797fb5e6862a181786aa3152664888f429a51ea0e73e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15e5beb14094d888455797fb5e6862a181786aa3152664888f429a51ea0e73e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58626, "scanner": "repobility-supply-chain", "fingerprint": "dbda414b165148be9da7c117d24d85c12d13985c2d0fcac8859174d7fba94160", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbda414b165148be9da7c117d24d85c12d13985c2d0fcac8859174d7fba94160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58625, "scanner": "repobility-supply-chain", "fingerprint": "b9a9af16331fbf1044143082a8c68ac975b4ad5cd7d8fd55d4e9d0f01af72f1b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9a9af16331fbf1044143082a8c68ac975b4ad5cd7d8fd55d4e9d0f01af72f1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58624, "scanner": "repobility-supply-chain", "fingerprint": "da368aa6cd4164136c78ff3c5e79bda39c98facbde83a514aebfb1acf5380dba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da368aa6cd4164136c78ff3c5e79bda39c98facbde83a514aebfb1acf5380dba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58623, "scanner": "repobility-supply-chain", "fingerprint": "dfe294f38f2d15b630c11c9dbb9e39253c7ae63d7ee40569e78350b7cb4b95b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dfe294f38f2d15b630c11c9dbb9e39253c7ae63d7ee40569e78350b7cb4b95b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/ensure-node-modules-cache.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58622, "scanner": "repobility-supply-chain", "fingerprint": "61463869cb5b1b946ae198ce844ac7f0af618616221fd563632cd7e5abec8e0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61463869cb5b1b946ae198ce844ac7f0af618616221fd563632cd7e5abec8e0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/ensure-node-modules-cache.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58621, "scanner": "repobility-supply-chain", "fingerprint": "2d6d3f8d489e4e6d0759cbf8236d3f1304ff8d88723dd644ec73ce884c659f91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d6d3f8d489e4e6d0759cbf8236d3f1304ff8d88723dd644ec73ce884c659f91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/ensure-node-modules-cache.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58620, "scanner": "repobility-supply-chain", "fingerprint": "5533b13f3b19179d88d8c17d3901014fe0f8c68958afea4347b9ff5c6caa2a5c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5533b13f3b19179d88d8c17d3901014fe0f8c68958afea4347b9ff5c6caa2a5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/ensure-node-modules-cache.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58619, "scanner": "repobility-supply-chain", "fingerprint": "9846c651bc8e4008c82c578c6ccae415572d649c26830c7be78b3e9d942b0cb3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9846c651bc8e4008c82c578c6ccae415572d649c26830c7be78b3e9d942b0cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/ensure-node-modules-cache.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58618, "scanner": "repobility-supply-chain", "fingerprint": "d745832159fcb85c743b3726e386550be939ee609ce6d291aaad5ee24c0a6579", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d745832159fcb85c743b3726e386550be939ee609ce6d291aaad5ee24c0a6579"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/ensure-node-modules-cache.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 58617, "scanner": "repobility-supply-chain", "fingerprint": "e4d2c891a5e10733c3cd2979cd34ee2dc679d9da3171dab102626bb0f30411d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4d2c891a5e10733c3cd2979cd34ee2dc679d9da3171dab102626bb0f30411d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/.github/workflows/ensure-node-modules-cache.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `keytar` pulled from URL/Git: `dependencies.keytar` = `file:./packageMocks/keytar` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 58613, "scanner": "repobility-supply-chain", "fingerprint": "60f7aecd1181354399844eca48cc189050b00b92529eba26c5a8793d32806da8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|60f7aecd1181354399844eca48cc189050b00b92529eba26c5a8793d32806da8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/microsoft-authentication/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/typescript-node:24-bookworm` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/typescript-node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 58612, "scanner": "repobility-supply-chain", "fingerprint": "5d5f284a87c83e5bfb53f08f7e89d0630800083ab2c32be0ab48b036f4525385", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d5f284a87c83e5bfb53f08f7e89d0630800083ab2c32be0ab48b036f4525385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.imports` used but never assigned in __init__: Method `make_prompt_for_fct` of class `FunctionWithImportsNamespacedInClasses` reads `self.imports`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58611, "scanner": "repobility-ast-engine", "fingerprint": "5d3590e5b5d0014c86658ff5c2adbd18501e1c269205bbf0a30429fd40df4800", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d3590e5b5d0014c86658ff5c2adbd18501e1c269205bbf0a30429fd40df4800"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 402}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.imports` used but never assigned in __init__: Method `make_prompt_for_fct` of class `FunctionWithImportsPastedWithComments` reads `self.imports`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58610, "scanner": "repobility-ast-engine", "fingerprint": "c4cf23ed1f1b34e474005975645d70f6db66600c4a67c5c1c671b486e9d16c33", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4cf23ed1f1b34e474005975645d70f6db66600c4a67c5c1c671b486e9d16c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.imports` used but never assigned in __init__: Method `make_prompt_for_fct` of class `FunctionWithImportsPastedVerbatim` reads `self.imports`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58609, "scanner": "repobility-ast-engine", "fingerprint": "6041d0a41284f7fc1612d82523ae062c7c4632543aeb4c77aa8ef27d5c1a3be1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6041d0a41284f7fc1612d82523ae062c7c4632543aeb4c77aa8ef27d5c1a3be1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.source_lines` used but never assigned in __init__: Method `make_prompt_for_fct_without_imports` of class `FunctionWithImports` reads `self.source_lines`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58608, "scanner": "repobility-ast-engine", "fingerprint": "8e5f39043a0d349ee5fde9c157c74c0efa5567584cc4216beff903b9b7a55113", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e5f39043a0d349ee5fde9c157c74c0efa5567584cc4216beff903b9b7a55113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 367}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.source_lines` used but never assigned in __init__: Method `make_prompt_for_fct_without_imports` of class `FunctionWithImports` reads `self.source_lines`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58607, "scanner": "repobility-ast-engine", "fingerprint": "02a65713f8426ae95efd5c5c609c53c72029436ebeb21f22989c99cf71e9cf3c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|02a65713f8426ae95efd5c5c609c53c72029436ebeb21f22989c99cf71e9cf3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.source_lines` used but never assigned in __init__: Method `make_prompt_for_fct_without_imports` of class `FunctionWithImports` reads `self.source_lines`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58606, "scanner": "repobility-ast-engine", "fingerprint": "3b35725a6876c3bdfdfa60d6ae43b95f040597b432b0436f46387adddb038df7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b35725a6876c3bdfdfa60d6ae43b95f040597b432b0436f46387adddb038df7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 362}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.prelude` used but never assigned in __init__: Method `make_prompt_for_fct` of class `FunctionWithImportsKept` reads `self.prelude`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58605, "scanner": "repobility-ast-engine", "fingerprint": "d1716955746260162fe1673f2737bda56cad6b034cc3f7363cadfe7450c98c4b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1716955746260162fe1673f2737bda56cad6b034cc3f7363cadfe7450c98c4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.header` used but never assigned in __init__: Method `make_prompt_for_fct` of class `FunctionWithImportsKept` reads `self.header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58604, "scanner": "repobility-ast-engine", "fingerprint": "198e1707463db937fb5f2c8cb70e1991b473b2c8dfb18635655de6ae6ecbda7d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|198e1707463db937fb5f2c8cb70e1991b473b2c8dfb18635655de6ae6ecbda7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_list_of_import_captures` used but never assigned in __init__: Method `truncate_left_but_keep_module_level_imports` of class `ImportParser` reads `self.get_list_of_import_captures`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58603, "scanner": "repobility-ast-engine", "fingerprint": "b2b37ba2b69344eca709a92470e073fb5d62af496706b9a104bc47d1ec4cec0d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2b37ba2b69344eca709a92470e073fb5d62af496706b9a104bc47d1ec4cec0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 329}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_text_from` used but never assigned in __init__: Method `remove_imports` of class `ImportParser` reads `self.get_text_from`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58602, "scanner": "repobility-ast-engine", "fingerprint": "32cf77d6ffaa8ec1c9ced3e02577e8e80b55507a10341e8c31e4a26c00d6f8a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32cf77d6ffaa8ec1c9ced3e02577e8e80b55507a10341e8c31e4a26c00d6f8a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_list_of_import_captures` used but never assigned in __init__: Method `remove_imports` of class `ImportParser` reads `self.get_list_of_import_captures`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58601, "scanner": "repobility-ast-engine", "fingerprint": "ec9735cf6cd8363f4a68b56d6442cf9a3cc365fa9c68596382868d4353c79e03", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec9735cf6cd8363f4a68b56d6442cf9a3cc365fa9c68596382868d4353c79e03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_import_statements` used but never assigned in __init__: Method `get_all_imports` of class `ImportParser` reads `self.get_import_statements`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58600, "scanner": "repobility-ast-engine", "fingerprint": "69974ab1fc17f9f4e5ad70c15624643df40339e83367272278f993fa4f687984", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|69974ab1fc17f9f4e5ad70c15624643df40339e83367272278f993fa4f687984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 292}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_text_from` used but never assigned in __init__: Method `get_import_statements` of class `ImportParser` reads `self.get_text_from`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58599, "scanner": "repobility-ast-engine", "fingerprint": "e7cd323c73dc84e86839d2bd3bdbd38af8b5c8fb7287f9334d0c6c24b89be867", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e7cd323c73dc84e86839d2bd3bdbd38af8b5c8fb7287f9334d0c6c24b89be867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parse_single_import` used but never assigned in __init__: Method `get_import_statements` of class `ImportParser` reads `self.parse_single_import`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58598, "scanner": "repobility-ast-engine", "fingerprint": "49d19b82d5624a49e3003edea13048fc3bc66a75a2abdba59bc373b8e0ecba40", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|49d19b82d5624a49e3003edea13048fc3bc66a75a2abdba59bc373b8e0ecba40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_list_of_import_captures` used but never assigned in __init__: Method `get_import_statements` of class `ImportParser` reads `self.get_list_of_import_captures`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58597, "scanner": "repobility-ast-engine", "fingerprint": "08f56f5a1974167f55b7f307a85b06e301dee0b6d2dde49e6c3ddfb6bf2ac416", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08f56f5a1974167f55b7f307a85b06e301dee0b6d2dde49e6c3ddfb6bf2ac416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 263}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.describe_from_the_outside` used but never assigned in __init__: Method `describe_from_the_outside_as_comment` of class `ImportAnalysis` reads `self.describe_from_the_outside`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58596, "scanner": "repobility-ast-engine", "fingerprint": "4c53b886fa63e445b8b849655c957bba7f343bbd5dc69d6fd931316162e64338", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4c53b886fa63e445b8b849655c957bba7f343bbd5dc69d6fd931316162e64338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.describe` used but never assigned in __init__: Method `description_comment` of class `ImportAnalysis` reads `self.describe`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58595, "scanner": "repobility-ast-engine", "fingerprint": "eb70194c10fec2ab4ffbe3dc6a245889027b6f8dfb80462733c66773cc2c7ec1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb70194c10fec2ab4ffbe3dc6a245889027b6f8dfb80462733c66773cc2c7ec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_class_description` used but never assigned in __init__: Method `describe` of class `ImportAnalysis` reads `self.get_class_description`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58594, "scanner": "repobility-ast-engine", "fingerprint": "407f788be6eba7ef1124bd5f8cb574b6106405c55b65f078f7a0c9746bd3b9a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|407f788be6eba7ef1124bd5f8cb574b6106405c55b65f078f7a0c9746bd3b9a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_function_description` used but never assigned in __init__: Method `describe` of class `ImportAnalysis` reads `self.get_function_description`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58593, "scanner": "repobility-ast-engine", "fingerprint": "437ac51caa193cb41354cf6b3a8f6fa79ffd2e706ebe9be26fa5275c63c2422c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|437ac51caa193cb41354cf6b3a8f6fa79ffd2e706ebe9be26fa5275c63c2422c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_names_of_imported_by_type` used but never assigned in __init__: Method `describe` of class `ImportAnalysis` reads `self.get_names_of_imported_by_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58592, "scanner": "repobility-ast-engine", "fingerprint": "ff3f0a5a61ab850dd24743a3d2feb41729601f469dbffa7304092340b463b0ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ff3f0a5a61ab850dd24743a3d2feb41729601f469dbffa7304092340b463b0ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_methods_of_type` used but never assigned in __init__: Method `get_class_description` of class `ImportAnalysis` reads `self.get_methods_of_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58591, "scanner": "repobility-ast-engine", "fingerprint": "ec1da09ff90f243de512eb729376b4db802a8e711be0213bcb6d94a9c7d96d22", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec1da09ff90f243de512eb729376b4db802a8e711be0213bcb6d94a9c7d96d22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._unpack_dict` used but never assigned in __init__: Method `_get_imported_objects` of class `ImportAnalysis` reads `self._unpack_dict`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58590, "scanner": "repobility-ast-engine", "fingerprint": "296a2fa4580a8d3b66d516af0c36d7df0d835e3b375421ce2172927fee14000a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|296a2fa4580a8d3b66d516af0c36d7df0d835e3b375421ce2172927fee14000a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/prompt/src/test/testdata/example.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_adding` of class `TestAddingFunction` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58588, "scanner": "repobility-ast-engine", "fingerprint": "cf6b4ce16dced9cb7bddd2c1d4ef7b19b963113e4d7ccaa4bc650c9135d79e0c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf6b4ce16dced9cb7bddd2c1d4ef7b19b963113e4d7ccaa4bc650c9135d79e0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/test/simulation/fixtures/fixing/python/pyright_missing_import.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_subtract` of class `TestExample` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58587, "scanner": "repobility-ast-engine", "fingerprint": "c2175346c606d499a931c2de155d127cf4e5a38ad7dda8cfbde30d5312a2f615", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c2175346c606d499a931c2de155d127cf4e5a38ad7dda8cfbde30d5312a2f615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/test/simulation/fixtures/tests/py-pyproject-toml/tests/test_sub.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_subtract` of class `TestExample` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 58586, "scanner": "repobility-ast-engine", "fingerprint": "01feb5209253bac501ba12aebde66cf9f13e63bbaa5268121d8e8d87207246d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01feb5209253bac501ba12aebde66cf9f13e63bbaa5268121d8e8d87207246d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/test/simulation/fixtures/tests/py-pyproject-toml/tests/test_sub.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 58567, "scanner": "repobility-docker", "fingerprint": "5fbf82bb8be14088a7da8b7625393586727c0bb1b549a572b3d02374fde29e9e", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5fbf82bb8be14088a7da8b7625393586727c0bb1b549a572b3d02374fde29e9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 58545, "scanner": "repobility-threat-engine", "fingerprint": "1981e565837aa39ec5b1e4e1f88ff663e566cb8bf7398041ab44b0fbe6ac88d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1981e565837aa39ec5b1e4e1f88ff663e566cb8bf7398041ab44b0fbe6ac88d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/tunnel-forwarding/src/extension.ts"}, "region": {"startLine": 259}}}]}, {"ruleId": "SEC036", "level": "error", "message": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-2019-11358 (Django), CVE-2020-26116 (Python http.client). CWE-93/113."}, "properties": {"repobilityId": 58542, "scanner": "repobility-threat-engine", "fingerprint": "0fb7a978c8eea6b798628956bbb99e1d1d6fc29a5945145008a4297667c3741f", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "res.setHeader('content-length', body", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC036", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|24|sec036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/github-authentication/src/node/authServer.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 58536, "scanner": "repobility-threat-engine", "fingerprint": "6ed55d1ebddda0cc302864a95abcc250e686e41a0a7a388a8c92d168a5505b3f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ed55d1ebddda0cc302864a95abcc250e686e41a0a7a388a8c92d168a5505b3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/util/vs/base/common/hash.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 58533, "scanner": "repobility-threat-engine", "fingerprint": "e348b58f517a5d2c0d3b892900007a425685bd609c6fe5f749b94ed45af20ffa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e348b58f517a5d2c0d3b892900007a425685bd609c6fe5f749b94ed45af20ffa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/platform/inlineEdits/common/responseProcessor.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 58532, "scanner": "repobility-threat-engine", "fingerprint": "24e988211235f40b178de11cefed7827b2dde83ccf41725060a637bc7d74512b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|24e988211235f40b178de11cefed7827b2dde83ccf41725060a637bc7d74512b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/prompts/node/panel/symbolAtCursor.tsx"}, "region": {"startLine": 191}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 58518, "scanner": "repobility-threat-engine", "fingerprint": "33100b3128997f9e840b6589082a6b13aa8e24eb5463fb2ed846822f650c878c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.delete(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|33100b3128997f9e840b6589082a6b13aa8e24eb5463fb2ed846822f650c878c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chatSessions/vscode-node/sessionRequestLifecycle.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 58517, "scanner": "repobility-threat-engine", "fingerprint": "b42e861b97db9d8d685865ca39e700449c0d7e904780f967a242a97326b84172", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b42e861b97db9d8d685865ca39e700449c0d7e904780f967a242a97326b84172"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/chatSessions/vscode-node/copilotCLIShim.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 58511, "scanner": "repobility-threat-engine", "fingerprint": "c58aed3c9d651ab92c44cfca04f0c0648d81f23b3b907a440626c7405a317b15", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(dumpDir, `responses-stream-${ts}-${request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|63|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/platform/endpoint/node/responsesApiDebugDump.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 58510, "scanner": "repobility-threat-engine", "fingerprint": "06add966cf858c08a77f8bfb8c2d2520cee650c45f7723e52621786366a37549", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(simulationFolder, entry, `0${testRun}-sim-request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|49|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/script/testGeneration/editFromPatchTests.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 58508, "scanner": "repobility-threat-engine", "fingerprint": "ad4f5ddaf4de396b4f18782a06e2cd946f93841cc35a0d32f53e49c8e603f51e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((w, i) => `${i + 1}. ${w}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad4f5ddaf4de396b4f18782a06e2cd946f93841cc35a0d32f53e49c8e603f51e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/intents/node/hookResultProcessor.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 58507, "scanner": "repobility-threat-engine", "fingerprint": "8e2f3fd82f4a2eb7d1b54c778235449ef5d4828b37af9d20c62ea07f7ecc7d05", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `${message.solutions.length}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e2f3fd82f4a2eb7d1b54c778235449ef5d4828b37af9d20c62ea07f7ecc7d05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/completions-core/vscode-node/extension/src/copilotPanel/webView/suggestionsPanelWebview.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 58506, "scanner": "repobility-threat-engine", "fingerprint": "3e132cb2167138f5ccf01994dfed9bec811e82c7e1e42eb3b16127171fbdd513", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key}=${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3e132cb2167138f5ccf01994dfed9bec811e82c7e1e42eb3b16127171fbdd513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/script/setup/getEnv.mts"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58504, "scanner": "repobility-threat-engine", "fingerprint": "e7d89a1661b2d904ddb451e339fe1cb15f8de01ee2b22e8db487ee17d498a8b4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e7d89a1661b2d904ddb451e339fe1cb15f8de01ee2b22e8db487ee17d498a8b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/byok/vscode-node/azureProvider.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58503, "scanner": "repobility-threat-engine", "fingerprint": "9bcdbf55c85c02113ee665b7dad04af13279853c6f98078b00173511213beb67", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9bcdbf55c85c02113ee665b7dad04af13279853c6f98078b00173511213beb67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/byok/vscode-node/abstractLanguageModelChatProvider.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58502, "scanner": "repobility-threat-engine", "fingerprint": "c8b457e0ef643972d1cd1b3c8a9c47eb8cccdb25a87a949a3649af8a3cd7e074", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c8b457e0ef643972d1cd1b3c8a9c47eb8cccdb25a87a949a3649af8a3cd7e074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/configuration-editing/src/node/net.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 58486, "scanner": "repobility-threat-engine", "fingerprint": "8ac2f1287f4bf266fa2ca0ee50ccde2faaa27070e7785dc44cceedb1c9044bad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8ac2f1287f4bf266fa2ca0ee50ccde2faaa27070e7785dc44cceedb1c9044bad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/json_rpc.rs"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 58485, "scanner": "repobility-threat-engine", "fingerprint": "a62cce53de88a190d73a9a12b29923768eebf56397d8a86abf27acc6d451e3f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a62cce53de88a190d73a9a12b29923768eebf56397d8a86abf27acc6d451e3f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/constants.rs"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 58484, "scanner": "repobility-threat-engine", "fingerprint": "9d7534e6973c5c3ca84f972a6f5ff7f6efc7146e96d63df56183c4a8ffd2a975", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d7534e6973c5c3ca84f972a6f5ff7f6efc7146e96d63df56183c4a8ffd2a975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/build.rs"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 58472, "scanner": "repobility-threat-engine", "fingerprint": "bd7f14ece0da669e6c1a10da22f65020fd80f4c6125914410218a8f62bbb92a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bd7f14ece0da669e6c1a10da22f65020fd80f4c6125914410218a8f62bbb92a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".vscode/extensions/vscode-selfhost-test-provider/src/failureTracker.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 58471, "scanner": "repobility-threat-engine", "fingerprint": "bbbbe7e73d380f28036e1abb1f1a3ac83967b6a4b7e5efb5dceb2f28e0723515", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(comment", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bbbbe7e73d380f28036e1abb1f1a3ac83967b6a4b7e5efb5dceb2f28e0723515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/vscode-dts-vscode-in-comments.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 58470, "scanner": "repobility-threat-engine", "fingerprint": "0ffe6b3d6f903784ccb5ff88e7ab7422e2aa057a6b8628d24e5bd2c03adac547", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(ident", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0ffe6b3d6f903784ccb5ff88e7ab7422e2aa057a6b8628d24e5bd2c03adac547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/vscode-dts-event-naming.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 58468, "scanner": "repobility-threat-engine", "fingerprint": "7e4758429dd89d16f03ac2734a761d0d885f66b5c299edf7de7ecdcc6907b725", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapeRegExpCharacters", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e4758429dd89d16f03ac2734a761d0d885f66b5c299edf7de7ecdcc6907b725"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/linkify/common/linkifier.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 58467, "scanner": "repobility-threat-engine", "fingerprint": "3dfef378a9ccfbf9ce5fdd49759ee7b4616eeb02f4d9ed1117293522e4a91e6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3dfef378a9ccfbf9ce5fdd49759ee7b4616eeb02f4d9ed1117293522e4a91e6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/conversation/vscode-node/logWorkspaceState.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 58466, "scanner": "repobility-threat-engine", "fingerprint": "8f73fe4791c8772de7bfd75884b4957be006f896252558289410063f948410cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(match", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f73fe4791c8772de7bfd75884b4957be006f896252558289410063f948410cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/vscode-dts-event-naming.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 58453, "scanner": "repobility-threat-engine", "fingerprint": "46288c2d0e299acae57029fbdd71465abe1140a56652d8bc51591c7957d21659", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.graph.delete(rel);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|46288c2d0e299acae57029fbdd71465abe1140a56652d8bc51591c7957d21659"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".vscode/extensions/vscode-selfhost-test-provider/src/importGraph.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 58452, "scanner": "repobility-threat-engine", "fingerprint": "53ca78fd766066c7877eb37a4550ce4a3feab12b73a340c775e53ed4c42d1f68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.lastFailed.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53ca78fd766066c7877eb37a4550ce4a3feab12b73a340c775e53ed4c42d1f68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".vscode/extensions/vscode-selfhost-test-provider/src/failureTracker.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 58451, "scanner": "repobility-threat-engine", "fingerprint": "2ccda676d863aec9fd74b6a97c3d8fc05feaca927042cc7c5f4e8dc01592e876", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "doubleQuotedStringLiterals.delete(keyNode);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ccda676d863aec9fd74b6a97c3d8fc05feaca927042cc7c5f4e8dc01592e876"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/code-no-unexternalized-strings.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 58436, "scanner": "repobility-threat-engine", "fingerprint": "e7a781049b6c9a1fa9f6ca044fd558abe4798f6fdf63be4ea82b42ec28234720", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.warn('Produced chunk that is over length limit', { file: chunk.file + '', range: chunk.range", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|6|console.warn produced chunk that is over length limit file: chunk.file + range: chunk.range"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/platform/chunking/node/naiveChunkerService.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 58435, "scanner": "repobility-threat-engine", "fingerprint": "e16fc0aa14f7ee8c6293b66d05db83d711f51c95b552677e871f8c70430c7d67", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "Logger.captureInvocation(executionSubagentToken, ()", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|10|logger.captureinvocation executionsubagenttoken"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/tools/node/executionSubagentTool.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 58544, "scanner": "repobility-threat-engine", "fingerprint": "493bf579aa2848a131e1fdf4018ccae247f0f2fa730b56e40c591fa8aa4a926f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|493bf579aa2848a131e1fdf4018ccae247f0f2fa730b56e40c591fa8aa4a926f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/php-language-features/src/features/phpGlobals.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 58531, "scanner": "repobility-threat-engine", "fingerprint": "c94d43597c01c33e46a9f86f3dd408efcb508a5c9923d795e8e588c6dc49b0f1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c94d43597c01c33e46a9f86f3dd408efcb508a5c9923d795e8e588c6dc49b0f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/intents/node/promptOverride.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 58530, "scanner": "repobility-threat-engine", "fingerprint": "b8c2d3cc160675e8a94d9418e5c04473ddbebe361d8fd31f1d02d6fdfd7c94e1", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|107|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/intents/node/promptOverride.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 58529, "scanner": "repobility-threat-engine", "fingerprint": "eca61229692297e8cd77486c05712748021d25118f8af14414a6d5818370dc37", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(content)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eca61229692297e8cd77486c05712748021d25118f8af14414a6d5818370dc37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/copilot/src/extension/intents/node/promptOverride.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 58461, "scanner": "repobility-threat-engine", "fingerprint": "bdecb654b88d42ee5e12885fbae19a9b9382c66871e77fa2ab4b51acc73855b9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bdecb654b88d42ee5e12885fbae19a9b9382c66871e77fa2ab4b51acc73855b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extensions/markdown-math/src/extension.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 58459, "scanner": "repobility-threat-engine", "fingerprint": "b87771f5f98f65cf023bff976e15308fad154a94cbee738418021f7d5ce09566", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(file", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b87771f5f98f65cf023bff976e15308fad154a94cbee738418021f7d5ce09566"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslint-plugin-local/index.ts"}, "region": {"startLine": 17}}}]}]}]}