{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-2c2j-9gv5-cj73", "name": "starlette: GHSA-2c2j-9gv5-cj73", "shortDescription": {"text": "starlette: GHSA-2c2j-9gv5-cj73"}, "fullDescription": {"text": "Starlette has possible denial-of-service vector when parsing large files in multipart forms"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc5v-m9x4-r6x2", "name": "requests: GHSA-gc5v-m9x4-r6x2", "shortDescription": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "fullDescription": {"text": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mf9w-mj56-hr94", "name": "python-dotenv: GHSA-mf9w-mj56-hr94", "shortDescription": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "fullDescription": {"text": "python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6w46-j5rx-g56g", "name": "pytest: GHSA-6w46-j5rx-g56g", "shortDescription": {"text": "pytest: GHSA-6w46-j5rx-g56g"}, "fullDescription": {"text": "pytest has vulnerable tmpdir handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r73j-pqj5-w3x7", "name": "pillow: GHSA-r73j-pqj5-w3x7", "shortDescription": {"text": "pillow: GHSA-r73j-pqj5-w3x7"}, "fullDescription": {"text": "Pillow has a PDF Parsing Trailer Infinite Loop (DoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xmw-vc9v-4wf2", "name": "pillow: GHSA-5xmw-vc9v-4wf2", "shortDescription": {"text": "pillow: GHSA-5xmw-vc9v-4wf2"}, "fullDescription": {"text": "Pillow has a heap buffer overflow with nested list coordinates"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v34v-rq6j-cj6p", "name": "langsmith: GHSA-v34v-rq6j-cj6p", "shortDescription": {"text": "langsmith: GHSA-v34v-rq6j-cj6p"}, "fullDescription": {"text": "LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rr7j-v2q5-chgv", "name": "langsmith: GHSA-rr7j-v2q5-chgv", "shortDescription": {"text": "langsmith: GHSA-rr7j-v2q5-chgv"}, "fullDescription": {"text": "LangSmith SDK: Streaming token events bypass output redaction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mhr3-j7m5-c7c9", "name": "langgraph-checkpoint: GHSA-mhr3-j7m5-c7c9", "shortDescription": {"text": "langgraph-checkpoint: GHSA-mhr3-j7m5-c7c9"}, "fullDescription": {"text": "LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-926x-3r5x-gfhw", "name": "langchain-core: GHSA-926x-3r5x-gfhw", "shortDescription": {"text": "langchain-core: GHSA-926x-3r5x-gfhw"}, "fullDescription": {"text": "LangChain has incomplete f-string validation in prompt templates"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-65pc-fj4g-8rjx", "name": "idna: GHSA-65pc-fj4g-8rjx", "shortDescription": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "fullDescription": {"text": "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-768j-98cg-p3fv", "name": "fonttools: GHSA-768j-98cg-p3fv", "shortDescription": {"text": "fonttools: GHSA-768j-98cg-p3fv"}, "fullDescription": {"text": "fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w2fm-2cpv-w7v5", "name": "aiohttp: GHSA-w2fm-2cpv-w7v5", "shortDescription": {"text": "aiohttp: GHSA-w2fm-2cpv-w7v5"}, "fullDescription": {"text": "aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p998-jp59-783m", "name": "aiohttp: GHSA-p998-jp59-783m", "shortDescription": {"text": "aiohttp: GHSA-p998-jp59-783m"}, "fullDescription": {"text": "AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m5qp-6w8w-w647", "name": "aiohttp: GHSA-m5qp-6w8w-w647", "shortDescription": {"text": "aiohttp: GHSA-m5qp-6w8w-w647"}, "fullDescription": {"text": "AIOHTTP has a Multipart Header Size Bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jj3x-wxrx-4x23", "name": "aiohttp: GHSA-jj3x-wxrx-4x23", "shortDescription": {"text": "aiohttp: GHSA-jj3x-wxrx-4x23"}, "fullDescription": {"text": "AIOHTTP vulnerable to DoS when bypassing asserts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jg22-mg44-37j8", "name": "aiohttp: GHSA-jg22-mg44-37j8", "shortDescription": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "fullDescription": {"text": "AIOHTTP is Vulnerable to Deserialization of Untrusted Data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hg6j-4rv6-33pg", "name": "aiohttp: GHSA-hg6j-4rv6-33pg", "shortDescription": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "fullDescription": {"text": "AIOHTTP is vulnerable to cross-origin redirect with per-request cookies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g84x-mcqj-x9qq", "name": "aiohttp: GHSA-g84x-mcqj-x9qq", "shortDescription": {"text": "aiohttp: GHSA-g84x-mcqj-x9qq"}, "fullDescription": {"text": "AIOHTTP vulnerable to DoS through chunked messages"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c427-h43c-vf67", "name": "aiohttp: GHSA-c427-h43c-vf67", "shortDescription": {"text": "aiohttp: GHSA-c427-h43c-vf67"}, "fullDescription": {"text": "AIOHTTP accepts duplicate Host headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6jhg-hg63-jvvf", "name": "aiohttp: GHSA-6jhg-hg63-jvvf", "shortDescription": {"text": "aiohttp: GHSA-6jhg-hg63-jvvf"}, "fullDescription": {"text": "AIOHTTP vulnerable to  denial of service through large payloads"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-93m4-6634-74q7", "name": "vite: GHSA-93m4-6634-74q7", "shortDescription": {"text": "vite: GHSA-93m4-6634-74q7"}, "fullDescription": {"text": "vite allows server.fs.deny bypass via backslash on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x7hr-w5r2-h6wg", "name": "prismjs: GHSA-x7hr-w5r2-h6wg", "shortDescription": {"text": "prismjs: GHSA-x7hr-w5r2-h6wg"}, "fullDescription": {"text": "PrismJS DOM Clobbering vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xcj6-pq6g-qj4x", "name": "vite: GHSA-xcj6-pq6g-qj4x", "shortDescription": {"text": "vite: GHSA-xcj6-pq6g-qj4x"}, "fullDescription": {"text": "Vite allows server.fs.deny to be bypassed with .svg or relative paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x574-m823-4x7w", "name": "vite: GHSA-x574-m823-4x7w", "shortDescription": {"text": "vite: GHSA-x574-m823-4x7w"}, "fullDescription": {"text": "Vite bypasses server.fs.deny when using ?raw??"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vg6x-rcgg-rjx6", "name": "vite: GHSA-vg6x-rcgg-rjx6", "shortDescription": {"text": "vite: GHSA-vg6x-rcgg-rjx6"}, "fullDescription": {"text": "Websites were able to send any requests to the development server and read the response in vite"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9cwx-2883-4wfx", "name": "vite: GHSA-9cwx-2883-4wfx", "shortDescription": {"text": "vite: GHSA-9cwx-2883-4wfx"}, "fullDescription": {"text": "Vite's `server.fs.deny` is bypassed when using `?import&raw`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8jhw-289h-jh2g", "name": "vite: GHSA-8jhw-289h-jh2g", "shortDescription": {"text": "vite: GHSA-8jhw-289h-jh2g"}, "fullDescription": {"text": "Vite's `server.fs.deny` did not deny requests for patterns with directories."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-859w-5945-r5v3", "name": "vite: GHSA-859w-5945-r5v3", "shortDescription": {"text": "vite: GHSA-859w-5945-r5v3"}, "fullDescription": {"text": "Vite's server.fs.deny bypassed with /. for files under project root"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-64vr-g452-qvp3", "name": "vite: GHSA-64vr-g452-qvp3", "shortDescription": {"text": "vite: GHSA-64vr-g452-qvp3"}, "fullDescription": {"text": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4r4m-qw57-chr8", "name": "vite: GHSA-4r4m-qw57-chr8", "shortDescription": {"text": "vite: GHSA-4r4m-qw57-chr8"}, "fullDescription": {"text": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-356w-63v5-8wf4", "name": "vite: GHSA-356w-63v5-8wf4", "shortDescription": {"text": "vite: GHSA-356w-63v5-8wf4"}, "fullDescription": {"text": "Vite has an `server.fs.deny` bypass with an invalid `request-target`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-968p-4wvh-cqc8", "name": "@babel/helpers: GHSA-968p-4wvh-cqc8", "shortDescription": {"text": "@babel/helpers: GHSA-968p-4wvh-cqc8"}, "fullDescription": {"text": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `backtester-ollama` image has no explicit tag", "shortDescription": {"text": "Compose service `backtester-ollama` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `ollama` image uses the latest tag", "shortDescription": {"text": "Compose service `ollama` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.2.1 -> 6.0.2)", "shortDescription": {"text": "npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.2.1 -> 6.0.2)"}, "fullDescription": {"text": "`@vitejs/plugin-react` is pinned/resolved at 4.2.1 but the latest stable release on the npm registry is 6.0.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `groq` is 1 major version(s) behind (0.32.0 -> 1.4.0)", "shortDescription": {"text": "Python package `groq` is 1 major version(s) behind (0.32.0 -> 1.4.0)"}, "fullDescription": {"text": "poetry.lock pins `groq` at 0.32.0 but the latest stable release on PyPI is 1.4.0 (1 major version(s) behind)."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "Mutable default argument in `__init__` (dict)", "shortDescription": {"text": "Mutable default argument in `__init__` (dict)"}, "fullDescription": {"text": "`def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-5239-wwwm-4pmq", "name": "pygments: GHSA-5239-wwwm-4pmq", "shortDescription": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "fullDescription": {"text": "Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g6r-c272-w58r", "name": "langchain-core: GHSA-2g6r-c272-w58r", "shortDescription": {"text": "langchain-core: GHSA-2g6r-c272-w58r"}, "fullDescription": {"text": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwh4-6h8g-pg8w", "name": "aiohttp: GHSA-mwh4-6h8g-pg8w", "shortDescription": {"text": "aiohttp: GHSA-mwh4-6h8g-pg8w"}, "fullDescription": {"text": "AIOHTTP has HTTP response splitting via \\r in reason phrase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mqqc-3gqh-h2x8", "name": "aiohttp: GHSA-mqqc-3gqh-h2x8", "shortDescription": {"text": "aiohttp: GHSA-mqqc-3gqh-h2x8"}, "fullDescription": {"text": "AIOHTTP has unicode match groups in regexes for ASCII protocol elements"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hcc4-c3v8-rx92", "name": "aiohttp: GHSA-hcc4-c3v8-rx92", "shortDescription": {"text": "aiohttp: GHSA-hcc4-c3v8-rx92"}, "fullDescription": {"text": "AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fh55-r93g-j68g", "name": "aiohttp: GHSA-fh55-r93g-j68g", "shortDescription": {"text": "aiohttp: GHSA-fh55-r93g-j68g"}, "fullDescription": {"text": "AIOHTTP Vulnerable to Cookie Parser Warning Storm"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-966j-vmvw-g2g9", "name": "aiohttp: GHSA-966j-vmvw-g2g9", "shortDescription": {"text": "aiohttp: GHSA-966j-vmvw-g2g9"}, "fullDescription": {"text": "AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-69f9-5gxw-wvc2", "name": "aiohttp: GHSA-69f9-5gxw-wvc2", "shortDescription": {"text": "aiohttp: GHSA-69f9-5gxw-wvc2"}, "fullDescription": {"text": "AIOHTTP's unicode processing of header values could cause parsing discrepancies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-63hf-3vf5-4wqf", "name": "aiohttp: GHSA-63hf-3vf5-4wqf", "shortDescription": {"text": "aiohttp: GHSA-63hf-3vf5-4wqf"}, "fullDescription": {"text": "AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-54jq-c3m8-4m76", "name": "aiohttp: GHSA-54jq-c3m8-4m76", "shortDescription": {"text": "aiohttp: GHSA-54jq-c3m8-4m76"}, "fullDescription": {"text": "AIOHTTP vulnerable to brute-force leak of internal static \ufb01le path components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3wq7-rqq7-wx6j", "name": "aiohttp: GHSA-3wq7-rqq7-wx6j", "shortDescription": {"text": "aiohttp: GHSA-3wq7-rqq7-wx6j"}, "fullDescription": {"text": "AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2vrm-gr82-f7m5", "name": "aiohttp: GHSA-2vrm-gr82-f7m5", "shortDescription": {"text": "aiohttp: GHSA-2vrm-gr82-f7m5"}, "fullDescription": {"text": "AIOHTTP has CRLF injection through multipart part content type header construction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jqfw-vq24-v9c3", "name": "vite: GHSA-jqfw-vq24-v9c3", "shortDescription": {"text": "vite: GHSA-jqfw-vq24-v9c3"}, "fullDescription": {"text": "Vite's `server.fs` settings were not applied to HTML files"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g4jq-h2w9-997c", "name": "vite: GHSA-g4jq-h2w9-997c", "shortDescription": {"text": "vite: GHSA-g4jq-h2w9-997c"}, "fullDescription": {"text": "Vite middleware may serve files starting with the same name with the public directory"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `get_agent_model_config` has cognitive complexity 8 (SonarSource scale). C", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `get_agent_model_config` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and r"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED009] Floats For Money (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 1 more): Same pattern found in 1 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-gm62-xv2j-4w53", "name": "urllib3: GHSA-gm62-xv2j-4w53", "shortDescription": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "fullDescription": {"text": "urllib3 allows an unbounded number of links in the decompression chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38jv-5279-wg99", "name": "urllib3: GHSA-38jv-5279-wg99", "shortDescription": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "fullDescription": {"text": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2xpw-w6gg-jr37", "name": "urllib3: GHSA-2xpw-w6gg-jr37", "shortDescription": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "fullDescription": {"text": "urllib3 streaming API improperly handles highly compressed data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f96h-pmfr-66vw", "name": "starlette: GHSA-f96h-pmfr-66vw", "shortDescription": {"text": "starlette: GHSA-f96h-pmfr-66vw"}, "fullDescription": {"text": "Starlette Denial of service (DoS) via multipart/form-data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-161", "name": "starlette: PYSEC-2026-161", "shortDescription": {"text": "starlette: PYSEC-2026-161"}, "fullDescription": {"text": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jr27-m4p2-rc6r", "name": "pyasn1: GHSA-jr27-m4p2-rc6r", "shortDescription": {"text": "pyasn1: GHSA-jr27-m4p2-rc6r"}, "fullDescription": {"text": "Denial of Service in pyasn1 via Unbounded Recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-63vm-454h-vhhq", "name": "pyasn1: GHSA-63vm-454h-vhhq", "shortDescription": {"text": "pyasn1: GHSA-63vm-454h-vhhq"}, "fullDescription": {"text": "pyasn1 has a DoS vulnerability in decoder"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7gcm-g887-7qv7", "name": "protobuf: GHSA-7gcm-g887-7qv7", "shortDescription": {"text": "protobuf: GHSA-7gcm-g887-7qv7"}, "fullDescription": {"text": "protobuf affected by a JSON recursion depth bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-whj4-6x5x-4v2j", "name": "pillow: GHSA-whj4-6x5x-4v2j", "shortDescription": {"text": "pillow: GHSA-whj4-6x5x-4v2j"}, "fullDescription": {"text": "FITS GZIP decompression bomb in Pillow"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pwv6-vv43-88gr", "name": "pillow: GHSA-pwv6-vv43-88gr", "shortDescription": {"text": "pillow: GHSA-pwv6-vv43-88gr"}, "fullDescription": {"text": "Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cfh3-3jmp-rvhc", "name": "pillow: GHSA-cfh3-3jmp-rvhc", "shortDescription": {"text": "pillow: GHSA-cfh3-3jmp-rvhc"}, "fullDescription": {"text": "Pillow affected by out-of-bounds write when loading PSD images"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-165", "name": "pillow: PYSEC-2026-165", "shortDescription": {"text": "pillow: PYSEC-2026-165"}, "fullDescription": {"text": "Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-107", "name": "orjson: PYSEC-2026-107", "shortDescription": {"text": "orjson: PYSEC-2026-107"}, "fullDescription": {"text": "The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2h4p-vjrc-8xpq", "name": "mako: GHSA-2h4p-vjrc-8xpq", "shortDescription": {"text": "mako: GHSA-2h4p-vjrc-8xpq"}, "fullDescription": {"text": "Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-88", "name": "mako: PYSEC-2026-88", "shortDescription": {"text": "mako: PYSEC-2026-88"}, "fullDescription": {"text": "Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3644-q5cj-c5c7", "name": "langsmith: GHSA-3644-q5cj-c5c7", "shortDescription": {"text": "langsmith: GHSA-3644-q5cj-c5c7"}, "fullDescription": {"text": "LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wwqv-p2pp-99h5", "name": "langgraph-checkpoint: GHSA-wwqv-p2pp-99h5", "shortDescription": {"text": "langgraph-checkpoint: GHSA-wwqv-p2pp-99h5"}, "fullDescription": {"text": "LangGraph Checkpoint affected by RCE in \"json\" mode of JsonPlusSerializer "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-83", "name": "langgraph: PYSEC-2026-83", "shortDescription": {"text": "langgraph: PYSEC-2026-83"}, "fullDescription": {"text": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-77", "name": "langchain-text-splitters: PYSEC-2026-77", "shortDescription": {"text": "langchain-text-splitters: PYSEC-2026-77"}, "fullDescription": {"text": "LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters\n 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue. This vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-76", "name": "langchain-openai: PYSEC-2026-76", "shortDescription": {"text": "langchain-openai: PYSEC-2026-76"}, "fullDescription": {"text": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qh6h-p6c9-ff54", "name": "langchain-core: GHSA-qh6h-p6c9-ff54", "shortDescription": {"text": "langchain-core: GHSA-qh6h-p6c9-ff54"}, "fullDescription": {"text": "LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwx-r37v-7724", "name": "langchain-core: GHSA-pjwx-r37v-7724", "shortDescription": {"text": "langchain-core: GHSA-pjwx-r37v-7724"}, "fullDescription": {"text": "LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6qv9-48xg-fc7f", "name": "langchain-core: GHSA-6qv9-48xg-fc7f", "shortDescription": {"text": "langchain-core: GHSA-6qv9-48xg-fc7f"}, "fullDescription": {"text": "LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-38", "name": "fastapi: PYSEC-2024-38", "shortDescription": {"text": "fastapi: PYSEC-2024-38"}, "fullDescription": {"text": "FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3936-cmfr-pm3m", "name": "black: GHSA-3936-cmfr-pm3m", "shortDescription": {"text": "black: GHSA-3936-cmfr-pm3m"}, "fullDescription": {"text": "Black: Arbitrary file writes from unsanitized user input in cache file name"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-48", "name": "black: PYSEC-2024-48", "shortDescription": {"text": "black: PYSEC-2024-48"}, "fullDescription": {"text": "Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.\r\rExploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6mq8-rvhq-8wgg", "name": "aiohttp: GHSA-6mq8-rvhq-8wgg", "shortDescription": {"text": "aiohttp: GHSA-6mq8-rvhq-8wgg"}, "fullDescription": {"text": "AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5j98-mcp5-4vw2", "name": "glob: GHSA-5j98-mcp5-4vw2", "shortDescription": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "fullDescription": {"text": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c27g-q93r-2cwf", "name": "vite: GHSA-c27g-q93r-2cwf", "shortDescription": {"text": "vite: GHSA-c27g-q93r-2cwf"}, "fullDescription": {"text": "launch-editor vulnerable to command injection via the crafted request on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gcx4-mw62-g8wm", "name": "rollup: GHSA-gcx4-mw62-g8wm", "shortDescription": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "fullDescription": {"text": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `python:3.11-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `python:3.11-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI DELETE /models/download/{model_name} has no auth", "shortDescription": {"text": "FastAPI DELETE /models/download/{model_name} has no auth"}, "fullDescription": {"text": "Handler `cancel_download` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.prefetch_data` used but never assigned in __init__", "shortDescription": {"text": "`self.prefetch_data` used but never assigned in __init__"}, "fullDescription": {"text": "Method `run_backtest_async` of class `BacktestService` reads `self.prefetch_data`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_exact", "shortDescription": {"text": "Phantom test coverage: test_exact"}, "fullDescription": {"text": "Test function `test_exact` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-c67j-w6g6-q2cm", "name": "langchain-core: GHSA-c67j-w6g6-q2cm", "shortDescription": {"text": "langchain-core: GHSA-c67j-w6g6-q2cm"}, "fullDescription": {"text": "LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `signal` used but not imported", "shortDescription": {"text": "Missing import: `signal` used but not imported"}, "fullDescription": {"text": "The file uses `signal.something(...)` but never imports `signal`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/888"}, "properties": {"repository": "virattt/ai-hedge-fund", "repoUrl": "https://github.com/virattt/ai-hedge-fund", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 82084, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 82082, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 15, "file_path": "app/backend/main.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 82081, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 2, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 82080, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-2c2j-9gv5-cj73", "level": "warning", "message": {"text": "starlette: GHSA-2c2j-9gv5-cj73"}, "properties": {"repobilityId": 82074, "scanner": "osv-scanner", "fingerprint": "78ad1736db1185cb2ca45feef8acaddaa87da50622e5a08c723260743dd94673", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-54121"], "package": "starlette", "rule_id": "GHSA-2c2j-9gv5-cj73", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2025-54121|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gc5v-m9x4-r6x2", "level": "warning", "message": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "properties": {"repobilityId": 82072, "scanner": "osv-scanner", "fingerprint": "400cb22475f8f561c27efa442b8645c170c4cec59a5ab938c212fe5a872ea565", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25645"], "package": "requests", "rule_id": "GHSA-gc5v-m9x4-r6x2", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2026-25645|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mf9w-mj56-hr94", "level": "warning", "message": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "properties": {"repobilityId": 82071, "scanner": "osv-scanner", "fingerprint": "b60bcb5b3af45add06beca2feaffa899d0fbd849e05ed8e5e80710d9b1018701", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-28684"], "package": "python-dotenv", "rule_id": "GHSA-mf9w-mj56-hr94", "scanner": "osv-scanner", "correlation_key": "vuln|python-dotenv|CVE-2026-28684|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6w46-j5rx-g56g", "level": "warning", "message": {"text": "pytest: GHSA-6w46-j5rx-g56g"}, "properties": {"repobilityId": 82070, "scanner": "osv-scanner", "fingerprint": "da60e3648a75c41f1182c9c48bf43f7392b14b827649b4093df6908bc29e9f5d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-71176"], "package": "pytest", "rule_id": "GHSA-6w46-j5rx-g56g", "scanner": "osv-scanner", "correlation_key": "vuln|pytest|CVE-2025-71176|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r73j-pqj5-w3x7", "level": "warning", "message": {"text": "pillow: GHSA-r73j-pqj5-w3x7"}, "properties": {"repobilityId": 82064, "scanner": "osv-scanner", "fingerprint": "c9d9361b7ada3487624e2102613b51fe2cb95d2badf17aa7ebd74575f520c0e1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42310", "CVE-2026-42310"], "package": "pillow", "rule_id": "GHSA-r73j-pqj5-w3x7", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42310|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5xmw-vc9v-4wf2", "level": "warning", "message": {"text": "pillow: GHSA-5xmw-vc9v-4wf2"}, "properties": {"repobilityId": 82061, "scanner": "osv-scanner", "fingerprint": "5c410ecee60ba3bdeda0f7651114626b14ffaeccd1200bb66852727b1e91d861", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42309", "CVE-2026-42309"], "package": "pillow", "rule_id": "GHSA-5xmw-vc9v-4wf2", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42309|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v34v-rq6j-cj6p", "level": "warning", "message": {"text": "langsmith: GHSA-v34v-rq6j-cj6p"}, "properties": {"repobilityId": 82056, "scanner": "osv-scanner", "fingerprint": "57af4071f9e7d604eb953d97ff432d1ec157c22548e75052e2d3eb7c7976a84c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25528"], "package": "langsmith", "rule_id": "GHSA-v34v-rq6j-cj6p", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-25528|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rr7j-v2q5-chgv", "level": "warning", "message": {"text": "langsmith: GHSA-rr7j-v2q5-chgv"}, "properties": {"repobilityId": 82055, "scanner": "osv-scanner", "fingerprint": "a28cd6a0b95a81796631fcfd485c4d10ccefb15b967ef79dcafe8b48abb268a0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41182"], "package": "langsmith", "rule_id": "GHSA-rr7j-v2q5-chgv", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-41182|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mhr3-j7m5-c7c9", "level": "warning", "message": {"text": "langgraph-checkpoint: GHSA-mhr3-j7m5-c7c9"}, "properties": {"repobilityId": 82052, "scanner": "osv-scanner", "fingerprint": "96012053b6ba60fff37d01d5dfc7e212ec3e666c4004fe9a04720077852972ff", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27794"], "package": "langgraph-checkpoint", "rule_id": "GHSA-mhr3-j7m5-c7c9", "scanner": "osv-scanner", "correlation_key": "vuln|langgraph-checkpoint|CVE-2026-27794|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-926x-3r5x-gfhw", "level": "warning", "message": {"text": "langchain-core: GHSA-926x-3r5x-gfhw"}, "properties": {"repobilityId": 82045, "scanner": "osv-scanner", "fingerprint": "61e8c2db8da5b06abb633c50d075808cb13996a02c441d6c4a4f6ada9d284e87", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40087"], "package": "langchain-core", "rule_id": "GHSA-926x-3r5x-gfhw", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2026-40087|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 82041, "scanner": "osv-scanner", "fingerprint": "695e0196bf22183709a69e3e5535f2409e9912da6e7a31c6984375e9f05b495a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-768j-98cg-p3fv", "level": "warning", "message": {"text": "fonttools: GHSA-768j-98cg-p3fv"}, "properties": {"repobilityId": 82040, "scanner": "osv-scanner", "fingerprint": "3d9248abfa2e8c02f3856a1229987adbdf1de60ab2dc886611f224022a386dd5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66034"], "package": "fonttools", "rule_id": "GHSA-768j-98cg-p3fv", "scanner": "osv-scanner", "correlation_key": "vuln|fonttools|CVE-2025-66034|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w2fm-2cpv-w7v5", "level": "warning", "message": {"text": "aiohttp: GHSA-w2fm-2cpv-w7v5"}, "properties": {"repobilityId": 82036, "scanner": "osv-scanner", "fingerprint": "abb89dd844f6420c84c816133560c71fe2cbce81fc2b1f940296990af828730d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22815"], "package": "aiohttp", "rule_id": "GHSA-w2fm-2cpv-w7v5", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-22815|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p998-jp59-783m", "level": "warning", "message": {"text": "aiohttp: GHSA-p998-jp59-783m"}, "properties": {"repobilityId": 82035, "scanner": "osv-scanner", "fingerprint": "77625262b5f182433ec1b300b835afa0c63c968dc8b468b9458a0581a40985e4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34515"], "package": "aiohttp", "rule_id": "GHSA-p998-jp59-783m", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34515|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m5qp-6w8w-w647", "level": "warning", "message": {"text": "aiohttp: GHSA-m5qp-6w8w-w647"}, "properties": {"repobilityId": 82032, "scanner": "osv-scanner", "fingerprint": "cdd6405b831f4da1f01b4a8a65de0ccf739cd26ff943193330bbf93895579333", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34516"], "package": "aiohttp", "rule_id": "GHSA-m5qp-6w8w-w647", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34516|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jj3x-wxrx-4x23", "level": "warning", "message": {"text": "aiohttp: GHSA-jj3x-wxrx-4x23"}, "properties": {"repobilityId": 82031, "scanner": "osv-scanner", "fingerprint": "398faec43d3a0bf51a71ef3c326cce00e8df5bfb31bf1f4027852d479dff42d1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69227"], "package": "aiohttp", "rule_id": "GHSA-jj3x-wxrx-4x23", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69227|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jg22-mg44-37j8", "level": "warning", "message": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "properties": {"repobilityId": 82030, "scanner": "osv-scanner", "fingerprint": "fce47bc7d33de2fde6298a9945fd89e9167e98b399eef8943f1dcbfa1c258492", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34993"], "package": "aiohttp", "rule_id": "GHSA-jg22-mg44-37j8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34993|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hg6j-4rv6-33pg", "level": "warning", "message": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "properties": {"repobilityId": 82029, "scanner": "osv-scanner", "fingerprint": "67a99dff426642504115da7d889ba1752758b338ed81939a578e76f5db81c207", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47265"], "package": "aiohttp", "rule_id": "GHSA-hg6j-4rv6-33pg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-47265|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g84x-mcqj-x9qq", "level": "warning", "message": {"text": "aiohttp: GHSA-g84x-mcqj-x9qq"}, "properties": {"repobilityId": 82027, "scanner": "osv-scanner", "fingerprint": "96051001ffd760118e47a03d12250ce59ff4b7f91f20ef750f7e7471dc5bbb76", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69229"], "package": "aiohttp", "rule_id": "GHSA-g84x-mcqj-x9qq", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69229|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c427-h43c-vf67", "level": "warning", "message": {"text": "aiohttp: GHSA-c427-h43c-vf67"}, "properties": {"repobilityId": 82025, "scanner": "osv-scanner", "fingerprint": "7e5871cbf9b0545f2f61bfcd859601b0dec6f9d85a367a5bfeadf93a89cd3672", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34525"], "package": "aiohttp", "rule_id": "GHSA-c427-h43c-vf67", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34525|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6jhg-hg63-jvvf", "level": "warning", "message": {"text": "aiohttp: GHSA-6jhg-hg63-jvvf"}, "properties": {"repobilityId": 82022, "scanner": "osv-scanner", "fingerprint": "19a926fa702ab953fcccf10373a227f160f53de81cd5473b171f320383350538", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69228"], "package": "aiohttp", "rule_id": "GHSA-6jhg-hg63-jvvf", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69228|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 82016, "scanner": "osv-scanner", "fingerprint": "3f1903c3acd7e456a1d6679bd5f9d09bbcc7822cbd4ef20c147f6e72f365859f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-93m4-6634-74q7", "level": "warning", "message": {"text": "vite: GHSA-93m4-6634-74q7"}, "properties": {"repobilityId": 82013, "scanner": "osv-scanner", "fingerprint": "45831525a4ae6bf2430bd7d57ac4af114a9e70d12ab7decf5fbcf3ee135a38cc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62522"], "package": "vite", "rule_id": "GHSA-93m4-6634-74q7", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-62522|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 82012, "scanner": "osv-scanner", "fingerprint": "bd008ff7bb0c1517e5376b5166aa3773fd6d365eb47f05a919c75a5898f4b7fa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x7hr-w5r2-h6wg", "level": "warning", "message": {"text": "prismjs: GHSA-x7hr-w5r2-h6wg"}, "properties": {"repobilityId": 82010, "scanner": "osv-scanner", "fingerprint": "86a3397f1e8eb5e46434ba29eaaf110870315722b29518c30f395542df884069", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-53382"], "package": "prismjs", "rule_id": "GHSA-x7hr-w5r2-h6wg", "scanner": "osv-scanner", "correlation_key": "vuln|prismjs|CVE-2024-53382|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 82009, "scanner": "osv-scanner", "fingerprint": "6e81b0b8f9d3df568fac00573777fef6dab4034bedce4cbdbbd6c81c6c9dbed6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 82007, "scanner": "osv-scanner", "fingerprint": "09de7740e838ffe51cca9a07d6df21850080ede84fecc722a1f2c6966fe2a716", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 82003, "scanner": "osv-scanner", "fingerprint": "81f0656c7aa6fe6a946cb3d741ba10eac1ac8ea7bf17915bcbe9665dc1d05e15", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 81999, "scanner": "osv-scanner", "fingerprint": "31dd1d8578fcc38a34276b81326de646c5a287200e7ce15129a0897a213a9eab", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 81997, "scanner": "osv-scanner", "fingerprint": "bb36fd3c10a6cba7349b74222fcf4cf66ebc765d3816bf1db67aef7ed043831b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 81996, "scanner": "osv-scanner", "fingerprint": "e8bf1a2bb264a8761a451e7eacc841e7468a5b1795126c333fb482f0a931eb1c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 81995, "scanner": "osv-scanner", "fingerprint": "7d2383addb6e32453b72df5ca3bb5394f7666c0d4164785f103882ea3004a5da", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xcj6-pq6g-qj4x", "level": "warning", "message": {"text": "vite: GHSA-xcj6-pq6g-qj4x"}, "properties": {"repobilityId": 81994, "scanner": "osv-scanner", "fingerprint": "15372793eed65fe556bf687df586307576c6f4f88bc0dc85d88250f6ed0b2bfe", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-31486"], "package": "vite", "rule_id": "GHSA-xcj6-pq6g-qj4x", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-31486|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x574-m823-4x7w", "level": "warning", "message": {"text": "vite: GHSA-x574-m823-4x7w"}, "properties": {"repobilityId": 81993, "scanner": "osv-scanner", "fingerprint": "444b0eb5f066bbb3b553c862e18ae5a55818a68d27711315174c2a1a89677434", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30208"], "package": "vite", "rule_id": "GHSA-x574-m823-4x7w", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-30208|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vg6x-rcgg-rjx6", "level": "warning", "message": {"text": "vite: GHSA-vg6x-rcgg-rjx6"}, "properties": {"repobilityId": 81992, "scanner": "osv-scanner", "fingerprint": "9dda12561a76c989efcfd69da2c71aa63bc745f6e1087b7e055b696b149ebf9b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-24010"], "package": "vite", "rule_id": "GHSA-vg6x-rcgg-rjx6", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-24010|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9cwx-2883-4wfx", "level": "warning", "message": {"text": "vite: GHSA-9cwx-2883-4wfx"}, "properties": {"repobilityId": 81988, "scanner": "osv-scanner", "fingerprint": "7e9a08f1c5c697523c7e08208d066cd15cd01d293960906115a0c6a7cc84a637", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45811"], "package": "vite", "rule_id": "GHSA-9cwx-2883-4wfx", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2024-45811|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-93m4-6634-74q7", "level": "warning", "message": {"text": "vite: GHSA-93m4-6634-74q7"}, "properties": {"repobilityId": 81987, "scanner": "osv-scanner", "fingerprint": "c38dbb60c8f2baab2691f6a35f72f4f85743ba7078d9407d6d74b1ce9e3b2c3a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62522"], "package": "vite", "rule_id": "GHSA-93m4-6634-74q7", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-62522|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8jhw-289h-jh2g", "level": "warning", "message": {"text": "vite: GHSA-8jhw-289h-jh2g"}, "properties": {"repobilityId": 81986, "scanner": "osv-scanner", "fingerprint": "90977e80323a4c4bef19afe98de53207b6e2d21a516f354485adbb111eec0d15", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-31207"], "package": "vite", "rule_id": "GHSA-8jhw-289h-jh2g", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2024-31207|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-859w-5945-r5v3", "level": "warning", "message": {"text": "vite: GHSA-859w-5945-r5v3"}, "properties": {"repobilityId": 81985, "scanner": "osv-scanner", "fingerprint": "3767e054d62e50c72a1224ab2784960d343d4062561d6011d0528e85593965e6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-46565"], "package": "vite", "rule_id": "GHSA-859w-5945-r5v3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-46565|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-64vr-g452-qvp3", "level": "warning", "message": {"text": "vite: GHSA-64vr-g452-qvp3"}, "properties": {"repobilityId": 81984, "scanner": "osv-scanner", "fingerprint": "e3886aa3e4d80401300943b17697e287adc815287c2aa2d5bd223bd3b60c7dac", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45812"], "package": "vite", "rule_id": "GHSA-64vr-g452-qvp3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2024-45812|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 81983, "scanner": "osv-scanner", "fingerprint": "596497c769d4d77a2191753f7cb8dffd7338cb9f8bd0e7b7139b1641eb18fae1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4r4m-qw57-chr8", "level": "warning", "message": {"text": "vite: GHSA-4r4m-qw57-chr8"}, "properties": {"repobilityId": 81982, "scanner": "osv-scanner", "fingerprint": "fe2477292b1051560406f39451d84fee8290f390e4432902715614f1b9bd65bf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-31125"], "package": "vite", "rule_id": "GHSA-4r4m-qw57-chr8", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-31125|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-356w-63v5-8wf4", "level": "warning", "message": {"text": "vite: GHSA-356w-63v5-8wf4"}, "properties": {"repobilityId": 81981, "scanner": "osv-scanner", "fingerprint": "18d4931ec880fcaf718d78804f54ecb90ee0f2d058dbab14332cf6ed557e96fc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-32395"], "package": "vite", "rule_id": "GHSA-356w-63v5-8wf4", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-32395|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x7hr-w5r2-h6wg", "level": "warning", "message": {"text": "prismjs: GHSA-x7hr-w5r2-h6wg"}, "properties": {"repobilityId": 81978, "scanner": "osv-scanner", "fingerprint": "3705bbdf68765e054fb03dc8a4ae8667b6a5ae4a70effc6d7a40e63c5eb1c7e6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-53382"], "package": "prismjs", "rule_id": "GHSA-x7hr-w5r2-h6wg", "scanner": "osv-scanner", "correlation_key": "vuln|prismjs|CVE-2024-53382|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 81977, "scanner": "osv-scanner", "fingerprint": "5c6da015940e7aa354d249f08b383a96b5550387e5fae1e9837a6deb614ef320", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 81975, "scanner": "osv-scanner", "fingerprint": "06f5177ab5c22827731f4fdd336eb7da3a6e1d04bc042fe56b7b6966bd2ca8c4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 81971, "scanner": "osv-scanner", "fingerprint": "2660f01fd7f9d3e4401e15d75b68f720ed5703bbecd2844bd4c502202d5dca76", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 81967, "scanner": "osv-scanner", "fingerprint": "de390f9fbf693f3348581fb75fc5cea0054760f0ea4a302c6bbeec24bdef0a5e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 81965, "scanner": "osv-scanner", "fingerprint": "89ed2671cf5d3803e443033ac3f99f9eb58630601e7f8f376d4f50b16f4ffd34", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 81964, "scanner": "osv-scanner", "fingerprint": "ebbdd59ffbccf0593ee71c31150a3936c8a162b54b1c00e81787de5011bc258b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/helpers: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 81963, "scanner": "osv-scanner", "fingerprint": "d6f01f164efd4479bd1e721e36b2e4f3a9b241cd3ca3cdaea0f3839e0015047d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/helpers", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/helpers|CVE-2025-27789|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `backtester-ollama` image has no explicit tag"}, "properties": {"repobilityId": 81960, "scanner": "repobility-docker", "fingerprint": "d4555d3779926d74aa6e9e530a6c946809bc7c3c0e0e2a7c99644aea59b22020", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "ai-hedge-fund", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d4555d3779926d74aa6e9e530a6c946809bc7c3c0e0e2a7c99644aea59b22020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `backtester` image has no explicit tag"}, "properties": {"repobilityId": 81957, "scanner": "repobility-docker", "fingerprint": "60934cbf3ab4f0238b8a586bc720bda6b2c4ff64b17fb5aa0e6e4dba0ce4aee2", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "ai-hedge-fund", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|60934cbf3ab4f0238b8a586bc720bda6b2c4ff64b17fb5aa0e6e4dba0ce4aee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `hedge-fund-ollama` image has no explicit tag"}, "properties": {"repobilityId": 81954, "scanner": "repobility-docker", "fingerprint": "cf05427ab0da590e0c599f3c5e3d3f7364e8c7d742a370063b727ad75cca4e88", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "ai-hedge-fund", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cf05427ab0da590e0c599f3c5e3d3f7364e8c7d742a370063b727ad75cca4e88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `hedge-fund-reasoning` image has no explicit tag"}, "properties": {"repobilityId": 81951, "scanner": "repobility-docker", "fingerprint": "070f2670a3ae8dd75fc598978cb1120b242bf5d3e9be6720b73af114ee8ba977", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "ai-hedge-fund", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|070f2670a3ae8dd75fc598978cb1120b242bf5d3e9be6720b73af114ee8ba977"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `hedge-fund` image has no explicit tag"}, "properties": {"repobilityId": 81948, "scanner": "repobility-docker", "fingerprint": "4d58332363fc29bc5113e73c6003875626d101a7207235ee752d6a5461f55234", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "ai-hedge-fund", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4d58332363fc29bc5113e73c6003875626d101a7207235ee752d6a5461f55234"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `ollama` image uses the latest tag"}, "properties": {"repobilityId": 81945, "scanner": "repobility-docker", "fingerprint": "b678aa2156316a589129b8238c235f3e429ad08f30a1c0835026592265308772", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ollama/ollama:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b678aa2156316a589129b8238c235f3e429ad08f30a1c0835026592265308772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 81943, "scanner": "repobility-docker", "fingerprint": "22bbac4b9661e68b021d26ae4797735fd8f311048a44b7cb6638ab0163ec78a4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|22bbac4b9661e68b021d26ae4797735fd8f311048a44b7cb6638ab0163ec78a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 81942, "scanner": "repobility-docker", "fingerprint": "243d1ca8b6238d1ca0ad77925b82de986032af68e39e3b0510cd48a9c77f4221", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|243d1ca8b6238d1ca0ad77925b82de986032af68e39e3b0510cd48a9c77f4221", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 81922, "scanner": "repobility-threat-engine", "fingerprint": "2d9a0b08a10a9cb0c5dd1c3a050e46a945672c9e8262cfe3afa8fab45db1ca99", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * chars.length));\n  }\n  return result;\n};\n\n/**\n * Extract the base agent key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2d9a0b08a10a9cb0c5dd1c3a050e46a945672c9e8262cfe3afa8fab45db1ca99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/data/node-mappings.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 81921, "scanner": "repobility-threat-engine", "fingerprint": "2723da63c98b4d3031dfd8cb5b80894727e0f91afb9567e6652961900a32266e", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(apiKey.url, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|187|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/settings/api-keys.tsx"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 81899, "scanner": "repobility-threat-engine", "fingerprint": "5927eb6270a35e64a9838d1f50294735eb7cf741950569b42295ed6d05f02d92", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def create_or_update_api_key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|27|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/api_keys.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 81898, "scanner": "repobility-threat-engine", "fingerprint": "93cd8301c22f70a6b5ac517e2ceae9caabe84e97e3ce157025d33519fe9cea0f", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def create_or_update_api_key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|15|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/api_key_repository.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 81893, "scanner": "repobility-threat-engine", "fingerprint": "4b3afa56dca2603eee3eb3f0e33f72483191cf8b6183462572298d7db8ec55f4", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: migration script (typical placeholder values)]", "evidence": {"match": "except:\n            pass", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: migration script (typical placeholder values)]", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "fp|4b3afa56dca2603eee3eb3f0e33f72483191cf8b6183462572298d7db8ec55f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/alembic/versions/3f9a6b7c8d2e_add_hedgefundflowruncycle_table.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 81890, "scanner": "repobility-agent-runtime", "fingerprint": "64a82db911a1faae2bfef4defe13c836f9b7f04a7a69795cdf60d7dd20e5b735", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|64a82db911a1faae2bfef4defe13c836f9b7f04a7a69795cdf60d7dd20e5b735"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/ollama.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.2.1 -> 6.0.2)"}, "properties": {"repobilityId": 81886, "scanner": "repobility-dependency-currency", "fingerprint": "5d2674018d41a83feda3c99b2b27c090ea2ae393d48e8165d29999c53d01b7cd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|5d2674018d41a83feda3c99b2b27c090ea2ae393d48e8165d29999c53d01b7cd", "current_version": "4.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/react-dom` is 1 major version(s) behind (18.2.18 -> 19.2.3)"}, "properties": {"repobilityId": 81885, "scanner": "repobility-dependency-currency", "fingerprint": "2f9f35bfe7ecc9c0031e6c9477f475f07b9fb28cc5b005e136e45dc698bc6f12", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|2f9f35bfe7ecc9c0031e6c9477f475f07b9fb28cc5b005e136e45dc698bc6f12", "current_version": "18.2.18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-syntax-highlighter` is 1 major version(s) behind (15.6.1 -> 16.1.1)"}, "properties": {"repobilityId": 81881, "scanner": "repobility-dependency-currency", "fingerprint": "dbffe07a2269f8661133ea66627b9e2df5d60988f10916f3435185811c8e3197", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-syntax-highlighter", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.1.1", "correlation_key": "fp|dbffe07a2269f8661133ea66627b9e2df5d60988f10916f3435185811c8e3197", "current_version": "15.6.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-resizable-panels` is 1 major version(s) behind (3.0.2 -> 4.11.2)"}, "properties": {"repobilityId": 81880, "scanner": "repobility-dependency-currency", "fingerprint": "b71cfcc065635cc1824a0fbf2f13a9e3be7ee37718118a9e7a0f957f799cbfc3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-resizable-panels", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.11.2", "correlation_key": "fp|b71cfcc065635cc1824a0fbf2f13a9e3be7ee37718118a9e7a0f957f799cbfc3", "current_version": "3.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `groq` is 1 major version(s) behind (0.32.0 -> 1.4.0)"}, "properties": {"repobilityId": 81865, "scanner": "repobility-dependency-currency", "fingerprint": "6de856830af8befc77b760ef77703af98d9779379e9131e1d6a5dcd1f6189b71", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "groq", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.4.0", "correlation_key": "fp|6de856830af8befc77b760ef77703af98d9779379e9131e1d6a5dcd1f6189b71", "current_version": "0.32.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `flake8` is 1 major version(s) behind (6.1.0 -> 7.3.0)"}, "properties": {"repobilityId": 81859, "scanner": "repobility-dependency-currency", "fingerprint": "29acd458fa296b78556c9fcd2deab34e8ca108187fea1a63f261ef875561b762", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "flake8", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "7.3.0", "correlation_key": "fp|29acd458fa296b78556c9fcd2deab34e8ca108187fea1a63f261ef875561b762", "current_version": "6.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `certifi` is 1 major version(s) behind (2025.10.5 -> 2026.5.20)"}, "properties": {"repobilityId": 81853, "scanner": "repobility-dependency-currency", "fingerprint": "5558c8cd79ff239d873abf8cb935d5d619e84353085e446a1ef09b834f3ec005", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "certifi", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2026.5.20", "correlation_key": "fp|5558c8cd79ff239d873abf8cb935d5d619e84353085e446a1ef09b834f3ec005", "current_version": "2025.10.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `cachetools` is 1 major version(s) behind (6.2.1 -> 7.1.4)"}, "properties": {"repobilityId": 81852, "scanner": "repobility-dependency-currency", "fingerprint": "93aa042ee103b78cc3e5831f6c988643ab1dd7c850849687a21b2422b645458c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cachetools", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "7.1.4", "correlation_key": "fp|93aa042ee103b78cc3e5831f6c988643ab1dd7c850849687a21b2422b645458c", "current_version": "6.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `black` is 3 major version(s) behind (23.12.1 -> 26.5.1)"}, "properties": {"repobilityId": 81851, "scanner": "repobility-dependency-currency", "fingerprint": "9c241dd2014ad34dea16415469ad12ac6d6a4f9fc3b417f1f1f7ba210e1cc13c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "black", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "26.5.1", "correlation_key": "fp|9c241dd2014ad34dea16415469ad12ac6d6a4f9fc3b417f1f1f7ba210e1cc13c", "current_version": "23.12.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `attrs` is 1 major version(s) behind (25.4.0 -> 26.1.0)"}, "properties": {"repobilityId": 81850, "scanner": "repobility-dependency-currency", "fingerprint": "c688fed35d454bece790d8cabcb096533a2f67750fd018c9f068c652f2e6871d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "attrs", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "26.1.0", "correlation_key": "fp|c688fed35d454bece790d8cabcb096533a2f67750fd018c9f068c652f2e6871d", "current_version": "25.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `anyio` is 1 major version(s) behind (3.7.1 -> 4.13.0)"}, "properties": {"repobilityId": 81849, "scanner": "repobility-dependency-currency", "fingerprint": "ffbf2a0108eacfa6c626bba9f88255cc99c3b44bb099d1f5c5f23e855dfc57e1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "anyio", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "4.13.0", "correlation_key": "fp|ffbf2a0108eacfa6c626bba9f88255cc99c3b44bb099d1f5c5f23e855dfc57e1", "current_version": "3.7.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81837, "scanner": "repobility-ast-engine", "fingerprint": "fa0f2af8b236a7e358efaf994151f7c4bbe2590363169f2a53fea81b94e6d4b8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa0f2af8b236a7e358efaf994151f7c4bbe2590363169f2a53fea81b94e6d4b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/ollama.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81836, "scanner": "repobility-ast-engine", "fingerprint": "da31309673eb6c73327d5ac5a7b0336629dbc90517d34b8b35fa69291920a67e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da31309673eb6c73327d5ac5a7b0336629dbc90517d34b8b35fa69291920a67e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/ollama.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81835, "scanner": "repobility-ast-engine", "fingerprint": "d24fa630442eb8f78ebe72e25ef9b19d406814c2af09b3d71478681f35046efb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d24fa630442eb8f78ebe72e25ef9b19d406814c2af09b3d71478681f35046efb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/ollama.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81834, "scanner": "repobility-ast-engine", "fingerprint": "687ec1c606622f0c8aba823ca8ea3b3334073a00a25b95bf28e2626e278ef23d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|687ec1c606622f0c8aba823ca8ea3b3334073a00a25b95bf28e2626e278ef23d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/ollama.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81833, "scanner": "repobility-ast-engine", "fingerprint": "c26d0f5b7302726187d475ad0ec9a629fb563e554d6e56a100c7eee7085c8034", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c26d0f5b7302726187d475ad0ec9a629fb563e554d6e56a100c7eee7085c8034"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/ollama.py"}, "region": {"startLine": 306}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81832, "scanner": "repobility-ast-engine", "fingerprint": "93e0059cab07e52b284e096ecf2b6520dcfec6064e1761a7ee79c9aab499dc6f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|93e0059cab07e52b284e096ecf2b6520dcfec6064e1761a7ee79c9aab499dc6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/ollama.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81830, "scanner": "repobility-ast-engine", "fingerprint": "acbf5ce47ae9472e962fabc7050957dddf5daa0a8e113217b8c11652bb5e8196", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|acbf5ce47ae9472e962fabc7050957dddf5daa0a8e113217b8c11652bb5e8196"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/llm.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81829, "scanner": "repobility-ast-engine", "fingerprint": "03c802707b76dae4fb67142faf6099de6195ea84f2c5e225dca8497ebdb40a27", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|03c802707b76dae4fb67142faf6099de6195ea84f2c5e225dca8497ebdb40a27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/llm.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81828, "scanner": "repobility-ast-engine", "fingerprint": "57b78cabaf2eb1d7831e7b9f829517e568495802322ff295be8734f11290e959", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|57b78cabaf2eb1d7831e7b9f829517e568495802322ff295be8734f11290e959"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/valuation.py"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81827, "scanner": "repobility-ast-engine", "fingerprint": "d0ecd64ef81348eb9bac2548f34b6ba73e5892b32e72fa4089f4d8b75f816ed6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d0ecd64ef81348eb9bac2548f34b6ba73e5892b32e72fa4089f4d8b75f816ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/risk_manager.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81826, "scanner": "repobility-ast-engine", "fingerprint": "a2bde463c3d4fc5ffdc9af267bd525bfda9cb9b98cedd6e56f025cdb74060e91", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2bde463c3d4fc5ffdc9af267bd525bfda9cb9b98cedd6e56f025cdb74060e91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/charlie_munger.py"}, "region": {"startLine": 724}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81825, "scanner": "repobility-ast-engine", "fingerprint": "06095ae183e72b5acd3ead210e2ac612938f298542e2865edfc653664a60c6e5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06095ae183e72b5acd3ead210e2ac612938f298542e2865edfc653664a60c6e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/rakesh_jhunjhunwala.py"}, "region": {"startLine": 577}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81824, "scanner": "repobility-ast-engine", "fingerprint": "dfec3082a7ee9f4b8acea3fd849e23cc6a79ab24f21cf5ce954df4edda00ba23", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dfec3082a7ee9f4b8acea3fd849e23cc6a79ab24f21cf5ce954df4edda00ba23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/hedge_fund.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81823, "scanner": "repobility-ast-engine", "fingerprint": "e06e0aea3a7cae477907d9b1ca6f776e56511385ed87da90a38b12d0ffe9711d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e06e0aea3a7cae477907d9b1ca6f776e56511385ed87da90a38b12d0ffe9711d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/hedge_fund.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81822, "scanner": "repobility-ast-engine", "fingerprint": "8aa440b73bbd1f95190bb810b4dfa8505ffa56d19225616aef1c9347af576d5b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8aa440b73bbd1f95190bb810b4dfa8505ffa56d19225616aef1c9347af576d5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/ollama_service.py"}, "region": {"startLine": 371}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81821, "scanner": "repobility-ast-engine", "fingerprint": "02fdb1da60cd5af944b887352de7d4db48a70463dd91cfa9911af01d95bcfd1b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|02fdb1da60cd5af944b887352de7d4db48a70463dd91cfa9911af01d95bcfd1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/ollama_service.py"}, "region": {"startLine": 354}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81820, "scanner": "repobility-ast-engine", "fingerprint": "514c26d2fb270270c0bc4cbfcf92e57d826757ee300ccc1df8579ee8f34ef538", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|514c26d2fb270270c0bc4cbfcf92e57d826757ee300ccc1df8579ee8f34ef538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/ollama_service.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81819, "scanner": "repobility-ast-engine", "fingerprint": "9f0e429ea8e9977f3a9cd10c4ebdd9b5a44bf8ad49dbe1b6834cae83fdf26382", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9f0e429ea8e9977f3a9cd10c4ebdd9b5a44bf8ad49dbe1b6834cae83fdf26382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/graph.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81818, "scanner": "repobility-ast-engine", "fingerprint": "980ab6c76cdaafd224fcd1e24e1b5d269f929efa6530a2f286a90a2074a8f663", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|980ab6c76cdaafd224fcd1e24e1b5d269f929efa6530a2f286a90a2074a8f663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/backtest_service.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81817, "scanner": "repobility-ast-engine", "fingerprint": "0fef745f966e528c9d4c0c7c18eda41a2e536879913731485ea7fc8ba8acf8e5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0fef745f966e528c9d4c0c7c18eda41a2e536879913731485ea7fc8ba8acf8e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/backtest_service.py"}, "region": {"startLine": 386}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81816, "scanner": "repobility-ast-engine", "fingerprint": "4d95cd9bab464d11396afdce6de62958a7132fd289c9c23ea026f700ca575ea8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4d95cd9bab464d11396afdce6de62958a7132fd289c9c23ea026f700ca575ea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/backtest_service.py"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (dict)"}, "properties": {"repobilityId": 81815, "scanner": "repobility-ast-engine", "fingerprint": "e731dd9df2183dbfc6c0131b378b0e8d1c1bbdedb3b8a30608d4adbd52df8338", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e731dd9df2183dbfc6c0131b378b0e8d1c1bbdedb3b8a30608d4adbd52df8338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/backtest_service.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81804, "scanner": "repobility-ast-engine", "fingerprint": "949df2189dbf0f06d13055bbfdb01065bbcb7ef9ff94ab80d04064509b14ccd4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|949df2189dbf0f06d13055bbfdb01065bbcb7ef9ff94ab80d04064509b14ccd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/backtesting/integration/conftest.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81803, "scanner": "repobility-ast-engine", "fingerprint": "9f93ae7126bc168c29a767e710b86eed8ff82661bfe570555104ed4380900a0a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9f93ae7126bc168c29a767e710b86eed8ff82661bfe570555104ed4380900a0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/backtesting/integration/conftest.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81784, "scanner": "repobility-ast-engine", "fingerprint": "0eb88397389483127a36ea1d80b64095b6c291afc60324531818650eb8961758", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0eb88397389483127a36ea1d80b64095b6c291afc60324531818650eb8961758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `run_hedge_fund` (list)"}, "properties": {"repobilityId": 81783, "scanner": "repobility-ast-engine", "fingerprint": "53049393b401027b7767c7552f8d1484ba1a5d3d933ae2ad4e75d35d3970b9b9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|53049393b401027b7767c7552f8d1484ba1a5d3d933ae2ad4e75d35d3970b9b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81782, "scanner": "repobility-ast-engine", "fingerprint": "9cef92376801f09c0a68a7b3c2866e9db18dad1cf39dbd7ecf810d2aac3b8f24", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9cef92376801f09c0a68a7b3c2866e9db18dad1cf39dbd7ecf810d2aac3b8f24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/backtester.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 81762, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 82083, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "FastAPI"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-5239-wwwm-4pmq", "level": "note", "message": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "properties": {"repobilityId": 82069, "scanner": "osv-scanner", "fingerprint": "75ec3320e01932109794c776f0c074954b23102e230158056876a14286ad793f", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4539"], "package": "pygments", "rule_id": "GHSA-5239-wwwm-4pmq", "scanner": "osv-scanner", "correlation_key": "vuln|pygments|CVE-2026-4539|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g6r-c272-w58r", "level": "note", "message": {"text": "langchain-core: GHSA-2g6r-c272-w58r"}, "properties": {"repobilityId": 82043, "scanner": "osv-scanner", "fingerprint": "52de5550f378462134c2ceab6ec28756b6551ce862e0570bb85db9e8616eba1e", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26013"], "package": "langchain-core", "rule_id": "GHSA-2g6r-c272-w58r", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2026-26013|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwh4-6h8g-pg8w", "level": "note", "message": {"text": "aiohttp: GHSA-mwh4-6h8g-pg8w"}, "properties": {"repobilityId": 82034, "scanner": "osv-scanner", "fingerprint": "a3a159ab8bd08d1572a6f9d63f8849c0e1d3c89c7c9dcf0d87e63bae0879ec22", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34519"], "package": "aiohttp", "rule_id": "GHSA-mwh4-6h8g-pg8w", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34519|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mqqc-3gqh-h2x8", "level": "note", "message": {"text": "aiohttp: GHSA-mqqc-3gqh-h2x8"}, "properties": {"repobilityId": 82033, "scanner": "osv-scanner", "fingerprint": "3195330930313059ddb8508b507ade58141e922b19a8e7304b42c00fe266adfd", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69225"], "package": "aiohttp", "rule_id": "GHSA-mqqc-3gqh-h2x8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69225|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hcc4-c3v8-rx92", "level": "note", "message": {"text": "aiohttp: GHSA-hcc4-c3v8-rx92"}, "properties": {"repobilityId": 82028, "scanner": "osv-scanner", "fingerprint": "c962e02828f57a8360c62f75c8208394c18e5e9ae829568cea2d34a41adf8035", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34513"], "package": "aiohttp", "rule_id": "GHSA-hcc4-c3v8-rx92", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34513|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fh55-r93g-j68g", "level": "note", "message": {"text": "aiohttp: GHSA-fh55-r93g-j68g"}, "properties": {"repobilityId": 82026, "scanner": "osv-scanner", "fingerprint": "d5e5b153e8128c97e3a9685b6f8d63f071d13df80646f6db7ee88e33d5b8cb32", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69230"], "package": "aiohttp", "rule_id": "GHSA-fh55-r93g-j68g", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69230|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-966j-vmvw-g2g9", "level": "note", "message": {"text": "aiohttp: GHSA-966j-vmvw-g2g9"}, "properties": {"repobilityId": 82024, "scanner": "osv-scanner", "fingerprint": "f6a00fb79051bb9505bf2bb76a4339574ce9743d57b0c6425722f56e6892c814", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34518"], "package": "aiohttp", "rule_id": "GHSA-966j-vmvw-g2g9", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34518|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-69f9-5gxw-wvc2", "level": "note", "message": {"text": "aiohttp: GHSA-69f9-5gxw-wvc2"}, "properties": {"repobilityId": 82021, "scanner": "osv-scanner", "fingerprint": "7609607e9dd785d9d2e18bb26cf1658df4567ddd333e8beee8cf00ab98e866cb", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69224"], "package": "aiohttp", "rule_id": "GHSA-69f9-5gxw-wvc2", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69224|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-63hf-3vf5-4wqf", "level": "note", "message": {"text": "aiohttp: GHSA-63hf-3vf5-4wqf"}, "properties": {"repobilityId": 82020, "scanner": "osv-scanner", "fingerprint": "15bae4c7384208f51f794b4795c2bed33ed626154ef0a9bf04d20b9d92968073", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34520"], "package": "aiohttp", "rule_id": "GHSA-63hf-3vf5-4wqf", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34520|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-54jq-c3m8-4m76", "level": "note", "message": {"text": "aiohttp: GHSA-54jq-c3m8-4m76"}, "properties": {"repobilityId": 82019, "scanner": "osv-scanner", "fingerprint": "787f517f75210370d67554ede5e2c741a81787214058bfd4254ac20e98cf3af2", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69226"], "package": "aiohttp", "rule_id": "GHSA-54jq-c3m8-4m76", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69226|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3wq7-rqq7-wx6j", "level": "note", "message": {"text": "aiohttp: GHSA-3wq7-rqq7-wx6j"}, "properties": {"repobilityId": 82018, "scanner": "osv-scanner", "fingerprint": "0c41beb43cad75c36dd8b7738497ce822a60eab913e9a8bb2aa3cfcedd641abc", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34517"], "package": "aiohttp", "rule_id": "GHSA-3wq7-rqq7-wx6j", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34517|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2vrm-gr82-f7m5", "level": "note", "message": {"text": "aiohttp: GHSA-2vrm-gr82-f7m5"}, "properties": {"repobilityId": 82017, "scanner": "osv-scanner", "fingerprint": "ef1df971284982ae86125b7bd12842c81dd8c7fe6b68e87d9b96c778a574ba54", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34514"], "package": "aiohttp", "rule_id": "GHSA-2vrm-gr82-f7m5", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34514|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jqfw-vq24-v9c3", "level": "note", "message": {"text": "vite: GHSA-jqfw-vq24-v9c3"}, "properties": {"repobilityId": 82015, "scanner": "osv-scanner", "fingerprint": "ad37266c5ac01337d6a7bd6aa5164c4c8f7c6a5a6d1e48fa5bee15276c4144fc", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58752"], "package": "vite", "rule_id": "GHSA-jqfw-vq24-v9c3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58752|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g4jq-h2w9-997c", "level": "note", "message": {"text": "vite: GHSA-g4jq-h2w9-997c"}, "properties": {"repobilityId": 82014, "scanner": "osv-scanner", "fingerprint": "862058b4024ce5b52236f817d4ba4872e09a4f89bb353d0ebfbf0aadf536907d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58751"], "package": "vite", "rule_id": "GHSA-g4jq-h2w9-997c", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58751|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 81998, "scanner": "osv-scanner", "fingerprint": "80f14f767f150903f0d13e54e8dc5893918b4306f53daae6c50a14e20f70393f", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jqfw-vq24-v9c3", "level": "note", "message": {"text": "vite: GHSA-jqfw-vq24-v9c3"}, "properties": {"repobilityId": 81991, "scanner": "osv-scanner", "fingerprint": "71c308e3c7d5e4757b889d9996f48fec6afc476b60d490363b09b011e4e93f01", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58752"], "package": "vite", "rule_id": "GHSA-jqfw-vq24-v9c3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58752|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g4jq-h2w9-997c", "level": "note", "message": {"text": "vite: GHSA-g4jq-h2w9-997c"}, "properties": {"repobilityId": 81990, "scanner": "osv-scanner", "fingerprint": "04971d30c764a7198121fb728d1e28e7b62ebbaccc29ed47aa20cd22cdc25ce1", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58751"], "package": "vite", "rule_id": "GHSA-g4jq-h2w9-997c", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58751|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 81966, "scanner": "osv-scanner", "fingerprint": "74c0e8fb1b0233df4ae9ef7188bf03b6d1f185ff8f694b6620f68e80b286d00a", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 81962, "scanner": "repobility-docker", "fingerprint": "398f0327e0f97e812cc4fdafff77f125383db6954b4b5cec8f0cd9f0e38574d6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "backtester-ollama", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|398f0327e0f97e812cc4fdafff77f125383db6954b4b5cec8f0cd9f0e38574d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 81961, "scanner": "repobility-docker", "fingerprint": "f02156319aeb73e120e7139c7eccdfe6beb35c11274f284ba5284d319fb06f07", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "backtester-ollama", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f02156319aeb73e120e7139c7eccdfe6beb35c11274f284ba5284d319fb06f07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 81959, "scanner": "repobility-docker", "fingerprint": "2f22d94f900d80a6b5159d4dcece22517045de3600131d050bfc5bcf14dbc175", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "backtester", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2f22d94f900d80a6b5159d4dcece22517045de3600131d050bfc5bcf14dbc175"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 81958, "scanner": "repobility-docker", "fingerprint": "ed151aa1a07ed0942ef98d4886ba9606f3e599ce47ee7bbc677225e232479eaf", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "backtester", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ed151aa1a07ed0942ef98d4886ba9606f3e599ce47ee7bbc677225e232479eaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 81956, "scanner": "repobility-docker", "fingerprint": "fad9f16a486cceabf694784b90fe61b365393b020e5984f5587eeba8f1f50da1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "hedge-fund-ollama", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fad9f16a486cceabf694784b90fe61b365393b020e5984f5587eeba8f1f50da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 81955, "scanner": "repobility-docker", "fingerprint": "2851ff42e514e719281d2cca09a94ec73fe3f0d744b656bd26ea0cafcd37ebc2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "hedge-fund-ollama", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2851ff42e514e719281d2cca09a94ec73fe3f0d744b656bd26ea0cafcd37ebc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 81953, "scanner": "repobility-docker", "fingerprint": "0bbf6528d3c16f52d707f2e24039476724a186b3ab4e5c1acd3d4f92a24f65a5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "hedge-fund-reasoning", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0bbf6528d3c16f52d707f2e24039476724a186b3ab4e5c1acd3d4f92a24f65a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 81952, "scanner": "repobility-docker", "fingerprint": "25fc39010204f9fa5fee2532186e9ee90b5439a85e516dcab5df13c1f6ce0543", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "hedge-fund-reasoning", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|25fc39010204f9fa5fee2532186e9ee90b5439a85e516dcab5df13c1f6ce0543"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 81950, "scanner": "repobility-docker", "fingerprint": "646782cf6706192962a4dfda7b82c637df2353e54484aa74c30ad7e61de64f4f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "hedge-fund", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|646782cf6706192962a4dfda7b82c637df2353e54484aa74c30ad7e61de64f4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 81949, "scanner": "repobility-docker", "fingerprint": "d9fa1e4c8f610aa95c842f4e684955786456606f31f6d89dc56d31ea8b45d004", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "hedge-fund", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d9fa1e4c8f610aa95c842f4e684955786456606f31f6d89dc56d31ea8b45d004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 81947, "scanner": "repobility-docker", "fingerprint": "eedd15d04efe88a2e429f36ff42c1cec90dcb209f1467864baa0c73970c2219e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ollama", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|eedd15d04efe88a2e429f36ff42c1cec90dcb209f1467864baa0c73970c2219e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 81946, "scanner": "repobility-docker", "fingerprint": "8938d773cac80c8fcf730706bdaa8d4ced7a836a56608454f95113d656c41b26", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ollama", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8938d773cac80c8fcf730706bdaa8d4ced7a836a56608454f95113d656c41b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 81944, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 81941, "scanner": "repobility-docker", "fingerprint": "12ec1920206d2769576c8ce16dc92fe3fb1d32f63868749e06ece4afb73f733b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|12ec1920206d2769576c8ce16dc92fe3fb1d32f63868749e06ece4afb73f733b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `get_agent_model_config` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=2, nested_bonus=3, or=2."}, "properties": {"repobilityId": 81896, "scanner": "repobility-threat-engine", "fingerprint": "6056a08d99109147a971554aea57b7656ef6cf1a4ce82e6cec648cdc72e170bf", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_agent_model_config", "breakdown": {"if": 2, "or": 2, "for": 1, "nested_bonus": 3}, "complexity": 8, "correlation_key": "fp|6056a08d99109147a971554aea57b7656ef6cf1a4ce82e6cec648cdc72e170bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/models/schemas.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `startup_event` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=3, except=1, if=3, nested_bonus=3."}, "properties": {"repobilityId": 81895, "scanner": "repobility-threat-engine", "fingerprint": "7a48509311e9e45183513270ac4ea2b659408897779b4687c4534b6f09c88666", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "startup_event", "breakdown": {"if": 3, "else": 3, "except": 1, "nested_bonus": 3}, "complexity": 10, "correlation_key": "fp|7a48509311e9e45183513270ac4ea2b659408897779b4687c4534b6f09c88666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/main.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `downgrade` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, if=6, nested_bonus=1."}, "properties": {"repobilityId": 81894, "scanner": "repobility-threat-engine", "fingerprint": "4c9086534385a16492efa0e67deb15c5c839654194662db2cfe4e0a07f874dec", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "downgrade", "breakdown": {"if": 6, "except": 1, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|4c9086534385a16492efa0e67deb15c5c839654194662db2cfe4e0a07f874dec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/alembic/versions/3f9a6b7c8d2e_add_hedgefundflowruncycle_table.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-react-refresh` is minor version(s) behind (0.4.5 -> 0.5.2)"}, "properties": {"repobilityId": 81888, "scanner": "repobility-dependency-currency", "fingerprint": "469352363b45d89bde68376e05fc5e2a6dc6ed96ecdac093d7841fc8308d6821", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-react-refresh", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.2", "correlation_key": "fp|469352363b45d89bde68376e05fc5e2a6dc6ed96ecdac093d7841fc8308d6821", "current_version": "0.4.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `autoprefixer` is minor version(s) behind (10.4.21 -> 10.5.0)"}, "properties": {"repobilityId": 81887, "scanner": "repobility-dependency-currency", "fingerprint": "b88b68ecc1dffe6c920916aeae13d8c767820f1c9d1ba5b4e07186787d6956df", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "autoprefixer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.5.0", "correlation_key": "fp|b88b68ecc1dffe6c920916aeae13d8c767820f1c9d1ba5b4e07186787d6956df", "current_version": "10.4.21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tailwind-merge` is minor version(s) behind (3.2.0 -> 3.6.0)"}, "properties": {"repobilityId": 81883, "scanner": "repobility-dependency-currency", "fingerprint": "6f6a1d9c445a118df6e5ca34c1c1ab52f98b9a8192163a0bc2b5ee9f09d0d3e0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tailwind-merge", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.6.0", "correlation_key": "fp|6f6a1d9c445a118df6e5ca34c1c1ab52f98b9a8192163a0bc2b5ee9f09d0d3e0", "current_version": "3.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@xyflow/react` is minor version(s) behind (12.5.1 -> 12.11.0)"}, "properties": {"repobilityId": 81879, "scanner": "repobility-dependency-currency", "fingerprint": "5e639c1339649f0b46d998182f33c2834af532894c58ca31ac60bf1d0dfaf092", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@xyflow/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.11.0", "correlation_key": "fp|5e639c1339649f0b46d998182f33c2834af532894c58ca31ac60bf1d0dfaf092", "current_version": "12.5.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `iniconfig` is minor version(s) behind (2.1.0 -> 2.3.0)"}, "properties": {"repobilityId": 81870, "scanner": "repobility-dependency-currency", "fingerprint": "9d64a688b0a57c927ae768ff934612125a4ce95ee380bf038d4654c9e0c6ea78", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "iniconfig", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.3.0", "correlation_key": "fp|9d64a688b0a57c927ae768ff934612125a4ce95ee380bf038d4654c9e0c6ea78", "current_version": "2.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `idna` is minor version(s) behind (3.11 -> 3.18)"}, "properties": {"repobilityId": 81869, "scanner": "repobility-dependency-currency", "fingerprint": "b0169a1b60b7c20e64be72fd1e88441095d3770bb4d58fc85bbf5ec955d83ecc", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "idna", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.18", "correlation_key": "fp|b0169a1b60b7c20e64be72fd1e88441095d3770bb4d58fc85bbf5ec955d83ecc", "current_version": "3.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `httpx` is minor version(s) behind (0.27.2 -> 0.28.1)"}, "properties": {"repobilityId": 81868, "scanner": "repobility-dependency-currency", "fingerprint": "63021f90bd4b9bf057375de21584b64f75b17e12e7d02a79ba91f8645533ba58", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "httpx", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.28.1", "correlation_key": "fp|63021f90bd4b9bf057375de21584b64f75b17e12e7d02a79ba91f8645533ba58", "current_version": "0.27.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `httptools` is minor version(s) behind (0.7.1 -> 0.8.0)"}, "properties": {"repobilityId": 81867, "scanner": "repobility-dependency-currency", "fingerprint": "39161c4d0c72c9272eac2f510cd0b1333e7ffe5a416557c0fe15ae49432c8a5f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "httptools", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.8.0", "correlation_key": "fp|39161c4d0c72c9272eac2f510cd0b1333e7ffe5a416557c0fe15ae49432c8a5f", "current_version": "0.7.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `grpcio-status` is minor version(s) behind (1.75.1 -> 1.81.0)"}, "properties": {"repobilityId": 81866, "scanner": "repobility-dependency-currency", "fingerprint": "ad3d80b0d1ce3f9a0fb867401d2d2c2b16b184f46b9446e8afa9397a21223d1e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "grpcio-status", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.81.0", "correlation_key": "fp|ad3d80b0d1ce3f9a0fb867401d2d2c2b16b184f46b9446e8afa9397a21223d1e", "current_version": "1.75.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `googleapis-common-protos` is minor version(s) behind (1.70.0 -> 1.75.0)"}, "properties": {"repobilityId": 81864, "scanner": "repobility-dependency-currency", "fingerprint": "7327242ba518a3ae46ae0f4ea1c3f4ec84ec9dccdebff3deb107681d6c4525c3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "googleapis-common-protos", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.75.0", "correlation_key": "fp|7327242ba518a3ae46ae0f4ea1c3f4ec84ec9dccdebff3deb107681d6c4525c3", "current_version": "1.70.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `google-auth` is minor version(s) behind (2.41.1 -> 2.53.0)"}, "properties": {"repobilityId": 81863, "scanner": "repobility-dependency-currency", "fingerprint": "90e6e42cfa1eef81655ddc106d98b2a9988774d18da6781515c1ec7c41a550e4", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "google-auth", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.53.0", "correlation_key": "fp|90e6e42cfa1eef81655ddc106d98b2a9988774d18da6781515c1ec7c41a550e4", "current_version": "2.41.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `google-api-core` is minor version(s) behind (2.26.0 -> 2.31.0)"}, "properties": {"repobilityId": 81862, "scanner": "repobility-dependency-currency", "fingerprint": "e78ea0131d982b645f96edab442237ca97e790a56132d345ee41284b11475fbc", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "google-api-core", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.31.0", "correlation_key": "fp|e78ea0131d982b645f96edab442237ca97e790a56132d345ee41284b11475fbc", "current_version": "2.26.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `google-ai-generativelanguage` is minor version(s) behind (0.7.0 -> 0.12.0)"}, "properties": {"repobilityId": 81861, "scanner": "repobility-dependency-currency", "fingerprint": "f2b70004d44e9a9da93e5f266f57426d1a9cc94bcea70853770fa199527e9a6e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "google-ai-generativelanguage", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.12.0", "correlation_key": "fp|f2b70004d44e9a9da93e5f266f57426d1a9cc94bcea70853770fa199527e9a6e", "current_version": "0.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `gigachat` is minor version(s) behind (0.1.42.post2 -> 0.2.1)"}, "properties": {"repobilityId": 81860, "scanner": "repobility-dependency-currency", "fingerprint": "7d3616023844aca20486b04d48fa52d9c8338c90ce785c1b48bee8911fc0fb0b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "gigachat", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.2.1", "correlation_key": "fp|7d3616023844aca20486b04d48fa52d9c8338c90ce785c1b48bee8911fc0fb0b", "current_version": "0.1.42.post2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `fastapi` is minor version(s) behind (0.104.1 -> 0.136.3)"}, "properties": {"repobilityId": 81857, "scanner": "repobility-dependency-currency", "fingerprint": "a3364fab57f0e9fe45ed4d085de75ef6eeedad099bbf4cc72a4a7be9c8e7f7fe", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fastapi", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.136.3", "correlation_key": "fp|a3364fab57f0e9fe45ed4d085de75ef6eeedad099bbf4cc72a4a7be9c8e7f7fe", "current_version": "0.104.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `docstring-parser` is minor version(s) behind (0.17.0 -> 0.18.0)"}, "properties": {"repobilityId": 81856, "scanner": "repobility-dependency-currency", "fingerprint": "ae652364d9ac93c9789ee2d6fb4512ec748ad13e196bcc9e1fa576359328ca6d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "docstring-parser", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.18.0", "correlation_key": "fp|ae652364d9ac93c9789ee2d6fb4512ec748ad13e196bcc9e1fa576359328ca6d", "current_version": "0.17.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `click` is minor version(s) behind (8.3.0 -> 8.4.1)"}, "properties": {"repobilityId": 81855, "scanner": "repobility-dependency-currency", "fingerprint": "a76c0406245d40e18ef5397f9eccbfbb3ec2abf4fc05e5758e477a96c433e93e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "click", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "8.4.1", "correlation_key": "fp|a76c0406245d40e18ef5397f9eccbfbb3ec2abf4fc05e5758e477a96c433e93e", "current_version": "8.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `anthropic` is minor version(s) behind (0.70.0 -> 0.105.2)"}, "properties": {"repobilityId": 81848, "scanner": "repobility-dependency-currency", "fingerprint": "39c58675df8f788c9c2cc0ac513f93014ac40689a0ab57a57aef126f900658c4", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "anthropic", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.105.2", "correlation_key": "fp|39c58675df8f788c9c2cc0ac513f93014ac40689a0ab57a57aef126f900658c4", "current_version": "0.70.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `alembic` is minor version(s) behind (1.17.0 -> 1.18.4)"}, "properties": {"repobilityId": 81847, "scanner": "repobility-dependency-currency", "fingerprint": "9a6165091b68807dc9852ae3713472aad923e64306231dc8bc71f9a1ab72fa26", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "alembic", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.18.4", "correlation_key": "fp|9a6165091b68807dc9852ae3713472aad923e64306231dc8bc71f9a1ab72fa26", "current_version": "1.17.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81781, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f964a4ee37fbd3b21086d9d419f7994aa4b8497c1a42201b50b6e58f8c86bddb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "v2/backtesting/__main__.py", "duplicate_line": 10, "correlation_key": "fp|f964a4ee37fbd3b21086d9d419f7994aa4b8497c1a42201b50b6e58f8c86bddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/event_study/__main__.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81780, "scanner": "repobility-ai-code-hygiene", "fingerprint": "adee58b951bcd813835ed931d9ddb0f84dc2a9e2fbf133f7392ec62c43609a98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/backend/services/graph.py", "duplicate_line": 124, "correlation_key": "fp|adee58b951bcd813835ed931d9ddb0f84dc2a9e2fbf133f7392ec62c43609a98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81779, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad6f7bab23822651a559abf2fb779ff8291d50f954a4eb21408546007c69dd34", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/backtesting/cli.py", "duplicate_line": 45, "correlation_key": "fp|ad6f7bab23822651a559abf2fb779ff8291d50f954a4eb21408546007c69dd34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/input.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81778, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c9386d6315f1a4ce3173ec5db57a110ac6855069791ee743a110f302d1decbe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/cathie_wood.py", "duplicate_line": 320, "correlation_key": "fp|4c9386d6315f1a4ce3173ec5db57a110ac6855069791ee743a110f302d1decbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/stanley_druckenmiller.py"}, "region": {"startLine": 449}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81777, "scanner": "repobility-ai-code-hygiene", "fingerprint": "effab88e3427c81b829b468ddd2596a407b8e88759157debee4b8a6bbe652706", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/phil_fisher.py", "duplicate_line": 54, "correlation_key": "fp|effab88e3427c81b829b468ddd2596a407b8e88759157debee4b8a6bbe652706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/stanley_druckenmiller.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81776, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64aa88c93159b0e045e79f768364259fcd5857546437ce81f9ec57043c09df2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/peter_lynch.py", "duplicate_line": 43, "correlation_key": "fp|64aa88c93159b0e045e79f768364259fcd5857546437ce81f9ec57043c09df2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/stanley_druckenmiller.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81775, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8aca94a42fb2af766243b69888d35bae8f4d85c2053079897266a50d18f13c5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/news_sentiment.py", "duplicate_line": 104, "correlation_key": "fp|8aca94a42fb2af766243b69888d35bae8f4d85c2053079897266a50d18f13c5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/sentiment.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81774, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eed36ea482fc0dbc252a7ee5beaf4a796004b180b52d6e21f30f0fffad1c6ab6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/michael_burry.py", "duplicate_line": 249, "correlation_key": "fp|eed36ea482fc0dbc252a7ee5beaf4a796004b180b52d6e21f30f0fffad1c6ab6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/rakesh_jhunjhunwala.py"}, "region": {"startLine": 532}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81773, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14edc7e513bbd5a1a5d9c5e1736e624462242d78afe6b0323ca67cc353647565", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/cathie_wood.py", "duplicate_line": 320, "correlation_key": "fp|14edc7e513bbd5a1a5d9c5e1736e624462242d78afe6b0323ca67cc353647565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/phil_fisher.py"}, "region": {"startLine": 459}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81772, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ca0b341277c887631c9f9531f4df448e074e88de3b4b2ab29c25da4ceea60e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/agents/peter_lynch.py", "duplicate_line": 59, "correlation_key": "fp|6ca0b341277c887631c9f9531f4df448e074e88de3b4b2ab29c25da4ceea60e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/phil_fisher.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81771, "scanner": "repobility-ai-code-hygiene", "fingerprint": "095b331f0e423f3b47c543dfcee9f0ff4d73b93f4eeb9aea44d52f92b235d69c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/frontend/src/services/api.ts", "duplicate_line": 77, "correlation_key": "fp|095b331f0e423f3b47c543dfcee9f0ff4d73b93f4eeb9aea44d52f92b235d69c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/services/backtest-api.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81770, "scanner": "repobility-ai-code-hygiene", "fingerprint": "687fc0cff3edbeb67a686b0cd68eb8e9ab1ea2547778134c31260cd74ea0a3a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/frontend/src/nodes/components/portfolio-start-node.tsx", "duplicate_line": 4, "correlation_key": "fp|687fc0cff3edbeb67a686b0cd68eb8e9ab1ea2547778134c31260cd74ea0a3a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/nodes/components/stock-analyzer-node.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81769, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06b6c17725183467d6079e06d357fc4e01b8d89f8f9a47c3e019e9b6a8b1e67c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/frontend/src/nodes/components/investment-report-node.tsx", "duplicate_line": 36, "correlation_key": "fp|06b6c17725183467d6079e06d357fc4e01b8d89f8f9a47c3e019e9b6a8b1e67c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/nodes/components/json-output-node.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81768, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da5faf2e71835c669147a4385cba7daaf4d90f9db8ff5731a8ecb6569b208a7f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/frontend/src/nodes/components/agent-output-dialog.tsx", "duplicate_line": 181, "correlation_key": "fp|da5faf2e71835c669147a4385cba7daaf4d90f9db8ff5731a8ecb6569b208a7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/nodes/components/json-output-dialog.tsx"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81767, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45f0c0a5c7431cb95cdcc186d4bd9fcf5c2943dcab2de4cc87d2df0c3f2830f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/frontend/src/hooks/use-enhanced-flow-actions.ts", "duplicate_line": 15, "correlation_key": "fp|45f0c0a5c7431cb95cdcc186d4bd9fcf5c2943dcab2de4cc87d2df0c3f2830f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/hooks/use-flow-management.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81766, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c79f520bb6d14260d64dec8d1841c7fc758223657f469992d264965d85ba1c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/frontend/src/hooks/use-flow-management-tabs.ts", "duplicate_line": 15, "correlation_key": "fp|4c79f520bb6d14260d64dec8d1841c7fc758223657f469992d264965d85ba1c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/hooks/use-flow-management.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81765, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7d412902637d549e10f0a75bf8c15a9655764e034e842e5b349e579a2804037", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/frontend/src/hooks/use-enhanced-flow-actions.ts", "duplicate_line": 15, "correlation_key": "fp|f7d412902637d549e10f0a75bf8c15a9655764e034e842e5b349e579a2804037"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/hooks/use-flow-management-tabs.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81764, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5326b7e7a7906ae8aea3fff78dd8ef46d6a4033676aa71cce4cb3c894ab8a1d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/frontend/src/components/settings/models/cloud.tsx", "duplicate_line": 82, "correlation_key": "fp|5326b7e7a7906ae8aea3fff78dd8ef46d6a4033676aa71cce4cb3c894ab8a1d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/settings/models/ollama.tsx"}, "region": {"startLine": 683}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81763, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e25beead3d5de4dfb0ff3ce483934d0f60d66821ecca6e4872e6628f9f93d130", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/frontend/src/components/panels/left/flow-create-dialog.tsx", "duplicate_line": 98, "correlation_key": "fp|e25beead3d5de4dfb0ff3ce483934d0f60d66821ecca6e4872e6628f9f93d130"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/panels/left/flow-edit-dialog.tsx"}, "region": {"startLine": 100}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 81761, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 81939, "scanner": "repobility-threat-engine", "fingerprint": "86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 81938, "scanner": "repobility-threat-engine", "fingerprint": "c4d1b11eb2ae78c8f66d0902114c1862b165ea5e5d46bf5bccce577b6ea45285", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c4d1b11eb2ae78c8f66d0902114c1862b165ea5e5d46bf5bccce577b6ea45285"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/protocol.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 81937, "scanner": "repobility-threat-engine", "fingerprint": "713e16fa623594e4db7abc9a0f96ec8296b3bf1a2c3c3555e21fb9a56f3e7f27", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|713e16fa623594e4db7abc9a0f96ec8296b3bf1a2c3c3555e21fb9a56f3e7f27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/backtesting/strategy.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 81936, "scanner": "repobility-threat-engine", "fingerprint": "2d4f8ab70d70de2163e9f78b68ff7558aefcae6d9cf5c955c61cd1ee152ddeaa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d4f8ab70d70de2163e9f78b68ff7558aefcae6d9cf5c955c61cd1ee152ddeaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/llm.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 81935, "scanner": "repobility-threat-engine", "fingerprint": "f21a66a81680da9e34b3831bc91a9f2de533ed4073fd227cb79d31f5c5015ed8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f21a66a81680da9e34b3831bc91a9f2de533ed4073fd227cb79d31f5c5015ed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/docker.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 81934, "scanner": "repobility-threat-engine", "fingerprint": "69968d72d8e00b9975e8319a1bd44b26fd4e79ee7a9ea2ff1169b5009e7ae95b", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|69968d72d8e00b9975e8319a1bd44b26fd4e79ee7a9ea2ff1169b5009e7ae95b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/docker.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED009", "level": "none", "message": {"text": "[MINED009] Floats For Money (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 81932, "scanner": "repobility-threat-engine", "fingerprint": "0df4cb2fbea220f3202f6f25a9fdf12664cf406497984bbe6567ae142c57ddcf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0df4cb2fbea220f3202f6f25a9fdf12664cf406497984bbe6567ae142c57ddcf", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 81927, "scanner": "repobility-threat-engine", "fingerprint": "a9d09171fc08bf5db951417b331ce09c205675eab10151f1e87b06bb5f4ae684", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9d09171fc08bf5db951417b331ce09c205675eab10151f1e87b06bb5f4ae684"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/run.sh"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 81926, "scanner": "repobility-threat-engine", "fingerprint": "2a70ebe47f6c1f773e96453253bf9933bc5d0f9faccf3e5d1c53be86dd1e2539", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a70ebe47f6c1f773e96453253bf9933bc5d0f9faccf3e5d1c53be86dd1e2539"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 81924, "scanner": "repobility-threat-engine", "fingerprint": "5fda63ac51cbe7a682ebc6956714175a3a3a3cd6f602f32df4f5be928c2281bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5fda63ac51cbe7a682ebc6956714175a3a3a3cd6f602f32df4f5be928c2281bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/nodes/components/investment-report-dialog.tsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 81923, "scanner": "repobility-threat-engine", "fingerprint": "10bd3a6bf1727f8e40de190232a713a2fff5e73d4362d0e919d49f7d84d8f3d1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10bd3a6bf1727f8e40de190232a713a2fff5e73d4362d0e919d49f7d84d8f3d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/hooks/use-output-node-connection.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 81920, "scanner": "repobility-threat-engine", "fingerprint": "35bedd0240d3fc4d57f3c1f1fde9b6f248438c5e761a4848023fa16a9a5d0a46", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|35bedd0240d3fc4d57f3c1f1fde9b6f248438c5e761a4848023fa16a9a5d0a46", "aggregated_count": 10}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 81919, "scanner": "repobility-threat-engine", "fingerprint": "c2078b5d21e9c03f72e0f54f1fbf473f55023c44b36714c11608973a05989e81", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2078b5d21e9c03f72e0f54f1fbf473f55023c44b36714c11608973a05989e81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/hooks/use-enhanced-flow-actions.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 81918, "scanner": "repobility-threat-engine", "fingerprint": "dfa547d019f276aa8864e42dcefd7b3efe13a81230979852aa8bee6b1c4372ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dfa547d019f276aa8864e42dcefd7b3efe13a81230979852aa8bee6b1c4372ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/tabs/flow-tab-content.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 81917, "scanner": "repobility-threat-engine", "fingerprint": "7a9f9568b691f341e3467244715a1b57a2ac6e31f329aa9d9d789357f076ac7c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a9f9568b691f341e3467244715a1b57a2ac6e31f329aa9d9d789357f076ac7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/panels/bottom/tabs/regular-output.tsx"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 81916, "scanner": "repobility-threat-engine", "fingerprint": "eece1e53f0c54990092a553225d8a8dd6fc6f05caea5cac5d0ac36aa86c6bc72", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eece1e53f0c54990092a553225d8a8dd6fc6f05caea5cac5d0ac36aa86c6bc72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/utils/text-utils.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 81915, "scanner": "repobility-threat-engine", "fingerprint": "29e1069f364e30698bd117ca33f5b2f0067cda9545a7f44495d26eabf37f03f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|29e1069f364e30698bd117ca33f5b2f0067cda9545a7f44495d26eabf37f03f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/hooks/use-node-state.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 81914, "scanner": "repobility-threat-engine", "fingerprint": "22d1ea66fc3a565c5e5780194efa29f928f00cb49843beda0f88383318e80c86", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22d1ea66fc3a565c5e5780194efa29f928f00cb49843beda0f88383318e80c86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/panels/bottom/tabs/regular-output.tsx"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 81913, "scanner": "repobility-threat-engine", "fingerprint": "44e64582de9481b6561c25738923c6947e25ed1cc21e68e4e015ec2a7fa42989", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|44e64582de9481b6561c25738923c6947e25ed1cc21e68e4e015ec2a7fa42989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/nodes/components/agent-output-dialog.tsx"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 81912, "scanner": "repobility-threat-engine", "fingerprint": "9c1dacf05333e9bdacf8cfaa674b017d2fd8c6b92cde071327f68f1615cab664", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c1dacf05333e9bdacf8cfaa674b017d2fd8c6b92cde071327f68f1615cab664"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/panels/bottom/tabs/reasoning-content.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 81911, "scanner": "repobility-threat-engine", "fingerprint": "6c343569363dd0a3833bf7122ebe77c77c7fe0326e0e996e6706685c8f85b729", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6c343569363dd0a3833bf7122ebe77c77c7fe0326e0e996e6706685c8f85b729", "aggregated_count": 23}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81910, "scanner": "repobility-threat-engine", "fingerprint": "be54bea03954bfbaa3cc04a6df0be939d7e0ccb60fe5308a38d866edaeaa02b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be54bea03954bfbaa3cc04a6df0be939d7e0ccb60fe5308a38d866edaeaa02b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/panels/left/flow-create-dialog.tsx"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81909, "scanner": "repobility-threat-engine", "fingerprint": "395372249eb43a7a736854a8c1a0cfbc0d204d340223a37ef4ea96469797e259", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|395372249eb43a7a736854a8c1a0cfbc0d204d340223a37ef4ea96469797e259"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/panels/bottom/tabs/reasoning-content.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81908, "scanner": "repobility-threat-engine", "fingerprint": "b933b9719ae2be4deacf1cd38ed90950b74c5a4f78291bd70a8ed7349e373c4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b933b9719ae2be4deacf1cd38ed90950b74c5a4f78291bd70a8ed7349e373c4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/components/Flow.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 81907, "scanner": "repobility-threat-engine", "fingerprint": "71b38a4f77a05f6bfd16b2fbcd1b951e2a53f712faa7be5e8d969d6783a4c212", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|71b38a4f77a05f6bfd16b2fbcd1b951e2a53f712faa7be5e8d969d6783a4c212"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 81903, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 37 more): Same pattern found in 37 additional files. Review if needed."}, "properties": {"repobilityId": 81897, "scanner": "repobility-threat-engine", "fingerprint": "7aa5b749e2beb16a32c597696986fa2fc88f84ef76bf450bd8f4e8ec97eba706", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 37 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "downgrade", "breakdown": {"if": 6, "except": 1, "nested_bonus": 1}, "aggregated": true, "complexity": 8, "correlation_key": "fp|7aa5b749e2beb16a32c597696986fa2fc88f84ef76bf450bd8f4e8ec97eba706", "aggregated_count": 37}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `postcss` is patch version(s) behind (8.5.3 -> 8.5.15)"}, "properties": {"repobilityId": 81889, "scanner": "repobility-dependency-currency", "fingerprint": "fbf364101fd297662ebbe26976459b029dadb117a603edf9184e3759ae1ccfc5", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "postcss", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.5.15", "correlation_key": "fp|fbf364101fd297662ebbe26976459b029dadb117a603edf9184e3759ae1ccfc5", "current_version": "8.5.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@tailwindcss/typography` is patch version(s) behind (0.5.16 -> 0.5.19)"}, "properties": {"repobilityId": 81884, "scanner": "repobility-dependency-currency", "fingerprint": "659f2dce655fbbe96b8028d699a3ca3f8ddb53e47237cbd155bef9fbdf7a8fc3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tailwindcss/typography", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.19", "correlation_key": "fp|659f2dce655fbbe96b8028d699a3ca3f8ddb53e47237cbd155bef9fbdf7a8fc3", "current_version": "0.5.16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `sonner` is patch version(s) behind (2.0.5 -> 2.0.7)"}, "properties": {"repobilityId": 81882, "scanner": "repobility-dependency-currency", "fingerprint": "e5289eba04f646d537946527d3e76957cedc60893ba04d77c389310d73df4046", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "sonner", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.7", "correlation_key": "fp|e5289eba04f646d537946527d3e76957cedc60893ba04d77c389310d73df4046", "current_version": "2.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-tooltip` is patch version(s) behind (1.2.7 -> 1.2.8)"}, "properties": {"repobilityId": 81878, "scanner": "repobility-dependency-currency", "fingerprint": "77b01fbac40841700ffdb79b844d331c6cf4f4ba79c09b460534b3a68c69b7d8", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-tooltip", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.8", "correlation_key": "fp|77b01fbac40841700ffdb79b844d331c6cf4f4ba79c09b460534b3a68c69b7d8", "current_version": "1.2.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-tabs` is patch version(s) behind (1.1.12 -> 1.1.13)"}, "properties": {"repobilityId": 81877, "scanner": "repobility-dependency-currency", "fingerprint": "b8d625c4700919341acc46f4a8196d9610619ac01981a0fd8e2e9bfcdb9295b7", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-tabs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.1.13", "correlation_key": "fp|b8d625c4700919341acc46f4a8196d9610619ac01981a0fd8e2e9bfcdb9295b7", "current_version": "1.1.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-slot` is patch version(s) behind (1.2.3 -> 1.2.4)"}, "properties": {"repobilityId": 81876, "scanner": "repobility-dependency-currency", "fingerprint": "912cf8c73894d18942f0f1031fb25fd184753f44c6330f66b33f9214ca60363e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-slot", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.4", "correlation_key": "fp|912cf8c73894d18942f0f1031fb25fd184753f44c6330f66b33f9214ca60363e", "current_version": "1.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-separator` is patch version(s) behind (1.1.7 -> 1.1.8)"}, "properties": {"repobilityId": 81875, "scanner": "repobility-dependency-currency", "fingerprint": "1b6df5215437f3c4e702c5ccc47738e48a3f3b218ccea0fd11cee88bf3dbd556", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-separator", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.1.8", "correlation_key": "fp|1b6df5215437f3c4e702c5ccc47738e48a3f3b218ccea0fd11cee88bf3dbd556", "current_version": "1.1.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-popover` is patch version(s) behind (1.1.14 -> 1.1.15)"}, "properties": {"repobilityId": 81874, "scanner": "repobility-dependency-currency", "fingerprint": "b01b6f316566605d15071029ab4fcbbc97fff1a1332a41111cd275eeb2857056", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-popover", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.1.15", "correlation_key": "fp|b01b6f316566605d15071029ab4fcbbc97fff1a1332a41111cd275eeb2857056", "current_version": "1.1.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-dialog` is patch version(s) behind (1.1.13 -> 1.1.15)"}, "properties": {"repobilityId": 81873, "scanner": "repobility-dependency-currency", "fingerprint": "4be411422fa8907a6024e96cbc2944e35e44de3c3ab5efbb0f40997646ba2728", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-dialog", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.1.15", "correlation_key": "fp|4be411422fa8907a6024e96cbc2944e35e44de3c3ab5efbb0f40997646ba2728", "current_version": "1.1.13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-checkbox` is patch version(s) behind (1.3.2 -> 1.3.3)"}, "properties": {"repobilityId": 81872, "scanner": "repobility-dependency-currency", "fingerprint": "a3e75d6a0060e3ae3e023853405858e95ec53a7b57084485ac27d20012062551", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-checkbox", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.3.3", "correlation_key": "fp|a3e75d6a0060e3ae3e023853405858e95ec53a7b57084485ac27d20012062551", "current_version": "1.3.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@radix-ui/react-accordion` is patch version(s) behind (1.2.11 -> 1.2.12)"}, "properties": {"repobilityId": 81871, "scanner": "repobility-dependency-currency", "fingerprint": "3cf1879c09bedaa476a0b48ff9d4f489f8849be04424ebaa7d324dac34885238", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@radix-ui/react-accordion", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.12", "correlation_key": "fp|3cf1879c09bedaa476a0b48ff9d4f489f8849be04424ebaa7d324dac34885238", "current_version": "1.2.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `fastapi-cli` is patch version(s) behind (0.0.7 -> 0.0.24)"}, "properties": {"repobilityId": 81858, "scanner": "repobility-dependency-currency", "fingerprint": "2b35c85e2600c1176c75cfcf4b1d52c6c229ccd48d7fa2d22ad13feed637a355", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fastapi-cli", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.0.24", "correlation_key": "fp|2b35c85e2600c1176c75cfcf4b1d52c6c229ccd48d7fa2d22ad13feed637a355", "current_version": "0.0.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `charset-normalizer` is patch version(s) behind (3.4.4 -> 3.4.7)"}, "properties": {"repobilityId": 81854, "scanner": "repobility-dependency-currency", "fingerprint": "fdf7e6350a547508eceb3018ac2d25c933638cd5f5adecb216eb49ef263724fc", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "charset-normalizer", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.4.7", "correlation_key": "fp|fdf7e6350a547508eceb3018ac2d25c933638cd5f5adecb216eb49ef263724fc", "current_version": "3.4.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `aiohappyeyeballs` is patch version(s) behind (2.6.1 -> 2.6.2)"}, "properties": {"repobilityId": 81846, "scanner": "repobility-dependency-currency", "fingerprint": "5d9b6dab837244fd08055a328a515eaf55fc6ad8a020807cca1bdd19cd0c5166", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "aiohappyeyeballs", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.6.2", "correlation_key": "fp|5d9b6dab837244fd08055a328a515eaf55fc6ad8a020807cca1bdd19cd0c5166", "current_version": "2.6.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gm62-xv2j-4w53", "level": "error", "message": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "properties": {"repobilityId": 82079, "scanner": "osv-scanner", "fingerprint": "b2a50e726773a043c9effef6b94ad00fc0c87dc468a04be1f2fa5848a9b782fd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66418"], "package": "urllib3", "rule_id": "GHSA-gm62-xv2j-4w53", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66418|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38jv-5279-wg99", "level": "error", "message": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "properties": {"repobilityId": 82078, "scanner": "osv-scanner", "fingerprint": "e7f26c2e6e1b27685223e6d9d3bb4fb1792f1b6189a93c58d000ef285ed8ae05", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21441"], "package": "urllib3", "rule_id": "GHSA-38jv-5279-wg99", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-21441|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2xpw-w6gg-jr37", "level": "error", "message": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "properties": {"repobilityId": 82077, "scanner": "osv-scanner", "fingerprint": "a77d9c27abd43c76702c9126a59340a0e2971ecded931fbb2a0473374a6229b8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66471"], "package": "urllib3", "rule_id": "GHSA-2xpw-w6gg-jr37", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66471|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 82076, "scanner": "osv-scanner", "fingerprint": "c47ac1cbe422435f5e177a60f73466d8b5a72d96d72e757478dd2de73e5b2722", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["66eeb0c0ea9496c6a0e8f35e17278862ea230908c2bd8099335574f10c33c177", "c47ac1cbe422435f5e177a60f73466d8b5a72d96d72e757478dd2de73e5b2722"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f96h-pmfr-66vw", "level": "error", "message": {"text": "starlette: GHSA-f96h-pmfr-66vw"}, "properties": {"repobilityId": 82075, "scanner": "osv-scanner", "fingerprint": "93946d9b52a1f3a5e0cdbf389971a5d38859c3e2377ea9b17dc5aa9b6b7db68c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47874"], "package": "starlette", "rule_id": "GHSA-f96h-pmfr-66vw", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2024-47874|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 82073, "scanner": "osv-scanner", "fingerprint": "fd55ec2ae47dd01ab8a1373884b4c1d940dc45b1d3ddbc9dc702cc8815500bea", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["b9d16898f2391df658b18c71463396760c0b7c9a675313101c1eaa00a7a534b6", "fd55ec2ae47dd01ab8a1373884b4c1d940dc45b1d3ddbc9dc702cc8815500bea"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jr27-m4p2-rc6r", "level": "error", "message": {"text": "pyasn1: GHSA-jr27-m4p2-rc6r"}, "properties": {"repobilityId": 82068, "scanner": "osv-scanner", "fingerprint": "2ebc8bf059fb50319d29c040dbb995e81eb99673f3fef9f85c573a331badbf5b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-30922"], "package": "pyasn1", "rule_id": "GHSA-jr27-m4p2-rc6r", "scanner": "osv-scanner", "correlation_key": "vuln|pyasn1|CVE-2026-30922|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-63vm-454h-vhhq", "level": "error", "message": {"text": "pyasn1: GHSA-63vm-454h-vhhq"}, "properties": {"repobilityId": 82067, "scanner": "osv-scanner", "fingerprint": "a8dcc9aa2ffe7d54c35577028051dce513b5d3e17d757934474948df0eb7fc0f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23490"], "package": "pyasn1", "rule_id": "GHSA-63vm-454h-vhhq", "scanner": "osv-scanner", "correlation_key": "vuln|pyasn1|CVE-2026-23490|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7gcm-g887-7qv7", "level": "error", "message": {"text": "protobuf: GHSA-7gcm-g887-7qv7"}, "properties": {"repobilityId": 82066, "scanner": "osv-scanner", "fingerprint": "f4f2ced5d324c8a64fadb0d73597e6209900b5b3f79ce09950ec549801b41e50", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-0994"], "package": "protobuf", "rule_id": "GHSA-7gcm-g887-7qv7", "scanner": "osv-scanner", "correlation_key": "vuln|protobuf|CVE-2026-0994|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-whj4-6x5x-4v2j", "level": "error", "message": {"text": "pillow: GHSA-whj4-6x5x-4v2j"}, "properties": {"repobilityId": 82065, "scanner": "osv-scanner", "fingerprint": "a9706d9b1121a834ab1ba7485b343416e02d3ab86fc7bc0b5b0ec08a74df5b3c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-40192", "CVE-2026-40192"], "package": "pillow", "rule_id": "GHSA-whj4-6x5x-4v2j", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-40192|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pwv6-vv43-88gr", "level": "error", "message": {"text": "pillow: GHSA-pwv6-vv43-88gr"}, "properties": {"repobilityId": 82063, "scanner": "osv-scanner", "fingerprint": "f571d9408846e8cab8380c1466d4aed720f1fb9c63fc8efe1b4828c2b0a925f5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42311", "CVE-2026-42311"], "package": "pillow", "rule_id": "GHSA-pwv6-vv43-88gr", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42311|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cfh3-3jmp-rvhc", "level": "error", "message": {"text": "pillow: GHSA-cfh3-3jmp-rvhc"}, "properties": {"repobilityId": 82062, "scanner": "osv-scanner", "fingerprint": "a7d29ff5d344881b7c8061964891520121cfb0ed58104663d0474535f9b13b7a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-25990", "CVE-2026-25990"], "package": "pillow", "rule_id": "GHSA-cfh3-3jmp-rvhc", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-25990|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-165", "level": "error", "message": {"text": "pillow: PYSEC-2026-165"}, "properties": {"repobilityId": 82060, "scanner": "osv-scanner", "fingerprint": "dcb7e71960719e8693eb726c276803bd3e5dbf23589493b62e8e55c41f3d31aa", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42308", "CVE-2026-42308", "GHSA-wjx4-4jcj-g98j"], "package": "pillow", "rule_id": "PYSEC-2026-165", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42308|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-wjx4-4jcj-g98j", "PYSEC-2026-165"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["7dd6405ba1ab065ea18939e72d1e5886e2b73b2113ad276efbc158a504f726df", "dcb7e71960719e8693eb726c276803bd3e5dbf23589493b62e8e55c41f3d31aa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-107", "level": "error", "message": {"text": "orjson: PYSEC-2026-107"}, "properties": {"repobilityId": 82059, "scanner": "osv-scanner", "fingerprint": "8626cbca17b71288ce5ec22bde6a1bcce8ec62e9f0df7cf8735d05b0f22af6da", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-67221", "GHSA-hx9q-6w63-j58v"], "package": "orjson", "rule_id": "PYSEC-2026-107", "scanner": "osv-scanner", "correlation_key": "vuln|orjson|CVE-2025-67221|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-hx9q-6w63-j58v", "PYSEC-2026-107"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8626cbca17b71288ce5ec22bde6a1bcce8ec62e9f0df7cf8735d05b0f22af6da", "926da9768f2c2ec266407165c8f051c21486e09fa168ec68fcf9add1cc244188"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2h4p-vjrc-8xpq", "level": "error", "message": {"text": "mako: GHSA-2h4p-vjrc-8xpq"}, "properties": {"repobilityId": 82058, "scanner": "osv-scanner", "fingerprint": "140480463bdf04763a86040e498bb64740a4b99cc2142fb0d9b50106e7ccee62", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44307"], "package": "mako", "rule_id": "GHSA-2h4p-vjrc-8xpq", "scanner": "osv-scanner", "correlation_key": "vuln|mako|CVE-2026-44307|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-88", "level": "error", "message": {"text": "mako: PYSEC-2026-88"}, "properties": {"repobilityId": 82057, "scanner": "osv-scanner", "fingerprint": "dbed573ede7aa84e35e5547512d07b372c3aae3b7a1afee55f01c3c97381258d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41205", "GHSA-v92g-xgxw-vvmm"], "package": "mako", "rule_id": "PYSEC-2026-88", "scanner": "osv-scanner", "correlation_key": "vuln|mako|CVE-2026-41205|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-v92g-xgxw-vvmm", "PYSEC-2026-88"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["784441d201e4f1ead87913d5e2c299823c94b3305209231194b1b07c8d6a1616", "dbed573ede7aa84e35e5547512d07b372c3aae3b7a1afee55f01c3c97381258d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3644-q5cj-c5c7", "level": "error", "message": {"text": "langsmith: GHSA-3644-q5cj-c5c7"}, "properties": {"repobilityId": 82054, "scanner": "osv-scanner", "fingerprint": "0278b9df5a922506d1d053e710e5ca9f54a1e1bede3dab79b913b196b85faff0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45134"], "package": "langsmith", "rule_id": "GHSA-3644-q5cj-c5c7", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-45134|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wwqv-p2pp-99h5", "level": "error", "message": {"text": "langgraph-checkpoint: GHSA-wwqv-p2pp-99h5"}, "properties": {"repobilityId": 82053, "scanner": "osv-scanner", "fingerprint": "792e5515575b937bae223e36c6de44290e65375a3b8a0184bf4f6f1901789d48", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64439"], "package": "langgraph-checkpoint", "rule_id": "GHSA-wwqv-p2pp-99h5", "scanner": "osv-scanner", "correlation_key": "vuln|langgraph-checkpoint|CVE-2025-64439|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-83", "level": "error", "message": {"text": "langgraph: PYSEC-2026-83"}, "properties": {"repobilityId": 82051, "scanner": "osv-scanner", "fingerprint": "9ea550b36bd793ca0b4332e63872b07b6e7526b2407c6c453a8e99694ef4c966", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-28277", "GHSA-g48c-2wqr-h844"], "package": "langgraph", "rule_id": "PYSEC-2026-83", "scanner": "osv-scanner", "correlation_key": "vuln|langgraph|CVE-2026-28277|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-g48c-2wqr-h844", "PYSEC-2026-83"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["9ea550b36bd793ca0b4332e63872b07b6e7526b2407c6c453a8e99694ef4c966", "c433e837cfca3a041b708927aba07c150fddebf981a262b9479c2473abd62a96"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-77", "level": "error", "message": {"text": "langchain-text-splitters: PYSEC-2026-77"}, "properties": {"repobilityId": 82050, "scanner": "osv-scanner", "fingerprint": "1db8e7d1a28e397ec972bf84f185a9de320e57618fd26287e6dc77b838452320", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41481", "GHSA-fv5p-p927-qmxr"], "package": "langchain-text-splitters", "rule_id": "PYSEC-2026-77", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-text-splitters|CVE-2026-41481|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-fv5p-p927-qmxr", "PYSEC-2026-77"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1db8e7d1a28e397ec972bf84f185a9de320e57618fd26287e6dc77b838452320", "e9ae0c54297f7be7e18c5f43b12dc842b4e604edc9299a1a10051adf0c42ed12"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-76", "level": "error", "message": {"text": "langchain-openai: PYSEC-2026-76"}, "properties": {"repobilityId": 82049, "scanner": "osv-scanner", "fingerprint": "24a1ba3d1e52c5c0901c4bc4d8f8c08d3dff84ab59ead4f8c6aaecc0e56e9d46", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41488", "GHSA-r7w7-9xr2-qq2r"], "package": "langchain-openai", "rule_id": "PYSEC-2026-76", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-openai|CVE-2026-41488|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r7w7-9xr2-qq2r", "PYSEC-2026-76"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["24a1ba3d1e52c5c0901c4bc4d8f8c08d3dff84ab59ead4f8c6aaecc0e56e9d46", "6d3eb49b2e3263b3248d8340bc92000d7cc96a34ee8006a05e33c66cbf44229c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qh6h-p6c9-ff54", "level": "error", "message": {"text": "langchain-core: GHSA-qh6h-p6c9-ff54"}, "properties": {"repobilityId": 82048, "scanner": "osv-scanner", "fingerprint": "9f3da34cfb13e1b8f137683cad5dcb0d4986d6a78697aa414b74c43606e2fcc2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34070"], "package": "langchain-core", "rule_id": "GHSA-qh6h-p6c9-ff54", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2026-34070|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwx-r37v-7724", "level": "error", "message": {"text": "langchain-core: GHSA-pjwx-r37v-7724"}, "properties": {"repobilityId": 82047, "scanner": "osv-scanner", "fingerprint": "d32e3d61ed5aa20920edfc479ffc69b28dfc8d8b0ea56c83dcb5e81eedf3282e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44843"], "package": "langchain-core", "rule_id": "GHSA-pjwx-r37v-7724", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2026-44843|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6qv9-48xg-fc7f", "level": "error", "message": {"text": "langchain-core: GHSA-6qv9-48xg-fc7f"}, "properties": {"repobilityId": 82044, "scanner": "osv-scanner", "fingerprint": "4d2c2fd58479ee6ea29ed05f7215f4e7962e0ee917a8cb6ac19ad2a3b254edc8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-65106"], "package": "langchain-core", "rule_id": "GHSA-6qv9-48xg-fc7f", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2025-65106|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3644-q5cj-c5c7", "level": "error", "message": {"text": "langchain: GHSA-3644-q5cj-c5c7"}, "properties": {"repobilityId": 82042, "scanner": "osv-scanner", "fingerprint": "b923877b0bec4efd6005da366aa944a399bcc0367fbb1696d3c06e212298ed6b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45134"], "package": "langchain", "rule_id": "GHSA-3644-q5cj-c5c7", "scanner": "osv-scanner", "correlation_key": "vuln|langchain|CVE-2026-45134|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-38", "level": "error", "message": {"text": "fastapi: PYSEC-2024-38"}, "properties": {"repobilityId": 82039, "scanner": "osv-scanner", "fingerprint": "2a83d4bb875062b57700338405b73bd605d2cda4e66036eaec4d4da8ed0049ea", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-24762", "GHSA-2jv5-9r88-3w3p", "GHSA-qf9m-vfgh-m389"], "package": "fastapi", "rule_id": "PYSEC-2024-38", "scanner": "osv-scanner", "correlation_key": "vuln|fastapi|CVE-2024-24762|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3936-cmfr-pm3m", "level": "error", "message": {"text": "black: GHSA-3936-cmfr-pm3m"}, "properties": {"repobilityId": 82038, "scanner": "osv-scanner", "fingerprint": "81b995d7e23962b84237aeb54208b2f8f8203a8d114da561b595d841ffac8855", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32274"], "package": "black", "rule_id": "GHSA-3936-cmfr-pm3m", "scanner": "osv-scanner", "correlation_key": "vuln|black|CVE-2026-32274|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-48", "level": "error", "message": {"text": "black: PYSEC-2024-48"}, "properties": {"repobilityId": 82037, "scanner": "osv-scanner", "fingerprint": "0297b6a7b7da8b20676709a4e0b39d2c902184fb2d389257a482b58bb7824d7b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-21503", "GHSA-fj7x-q9j7-g6q6"], "package": "black", "rule_id": "PYSEC-2024-48", "scanner": "osv-scanner", "correlation_key": "vuln|black|CVE-2024-21503|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-fj7x-q9j7-g6q6", "PYSEC-2024-48"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0297b6a7b7da8b20676709a4e0b39d2c902184fb2d389257a482b58bb7824d7b", "ac1bf62545a56cd484152a4d75544742a81bd3af01ba5a9ab7e631dda143629b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6mq8-rvhq-8wgg", "level": "error", "message": {"text": "aiohttp: GHSA-6mq8-rvhq-8wgg"}, "properties": {"repobilityId": 82023, "scanner": "osv-scanner", "fingerprint": "ec74f4e51e88352796aa56a8d0814df07dfa09c138be1e9e863baa9284263ea7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69223"], "package": "aiohttp", "rule_id": "GHSA-6mq8-rvhq-8wgg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69223|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 82011, "scanner": "osv-scanner", "fingerprint": "a8fffbdec2ac13a6029d3026d96dec39ea27c7a8c6d21071129cd8b6aec06614", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 82008, "scanner": "osv-scanner", "fingerprint": "286efe7eea57d7db828523f857b3e9742aa2f29dd11410b2ca3da86331daef61", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 82006, "scanner": "osv-scanner", "fingerprint": "2b9090ea3e048a40cfbe1a34c641c7ba554bc695fceb9a44623b31e37aa158e1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 82005, "scanner": "osv-scanner", "fingerprint": "02365e169c301bab58ce074891e8e814129fa13a848a7ce83fe5d0c2303ce70f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 82004, "scanner": "osv-scanner", "fingerprint": "6e500fdf994a8a1b00ffa6f4d4c2ccd31040d44d6a58e119e20a5f1cacdc3dce", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 82002, "scanner": "osv-scanner", "fingerprint": "bf2491aee3a8bb4907b2942badb965af363aadff4f84cc500c0f60d6a2f1cd01", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 82001, "scanner": "osv-scanner", "fingerprint": "134333f1574b2677335417cef47ae040a3c6b5e8fd7263563304dbe395aee2b9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 82000, "scanner": "osv-scanner", "fingerprint": "5fc4e8ee405464d4a8c86a09ad516e9d0cbe1b0b1e114edb6a0d23288cd6a9c0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|app/frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c27g-q93r-2cwf", "level": "error", "message": {"text": "vite: GHSA-c27g-q93r-2cwf"}, "properties": {"repobilityId": 81989, "scanner": "osv-scanner", "fingerprint": "614e96f0e543507f1bd08cac88cb77f2da523717f108137557112ff1a865e7a1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-52011"], "package": "vite", "rule_id": "GHSA-c27g-q93r-2cwf", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2024-52011|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 81980, "scanner": "osv-scanner", "fingerprint": "23f6d7d912c8b52c414573185af47a10b604ebd36fabecb894738a9805460992", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gcx4-mw62-g8wm", "level": "error", "message": {"text": "rollup: GHSA-gcx4-mw62-g8wm"}, "properties": {"repobilityId": 81979, "scanner": "osv-scanner", "fingerprint": "93f41ccce205e037b8539814c4a50f05cb7fdd9b8f67b8f3eea6fb7c21c5c2ee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47068"], "package": "rollup", "rule_id": "GHSA-gcx4-mw62-g8wm", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2024-47068|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 81976, "scanner": "osv-scanner", "fingerprint": "99b251ebb9b4090f5c03076744ffc1c0c71bbf76b701763ee50c69b81891ed29", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 81974, "scanner": "osv-scanner", "fingerprint": "8f73d355682ae2d4b8d6272443c464d10bd7b331b2d949aeb01b7b227f76b306", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 81973, "scanner": "osv-scanner", "fingerprint": "724458c94b38a7e8b0ce2721838b36d926f4ece3d9515b5abc6149432438f65e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 81972, "scanner": "osv-scanner", "fingerprint": "ccd9115af5cf91f38e5aa926795eb132c2bd6ea961b3505d52e7d57eba5665f6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 81970, "scanner": "osv-scanner", "fingerprint": "5bfa258c88f5d01079a3c0bc18710522db2ed276793bf4d5573f16a0f342db3a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 81969, "scanner": "osv-scanner", "fingerprint": "749ab10c9c42368c8734d4dfb0b3b16043535e6b0de78af4f748ea35ef1afd07", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 81968, "scanner": "osv-scanner", "fingerprint": "ad63e7c0d1cc37eb4f0c9c902a26ae03a129f6e716beb843d0bcb9e81fb5473a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 81940, "scanner": "repobility-threat-engine", "fingerprint": "5ab2f973b086df158644feecbcc001e11b95ccba7eb14b366c96717926a20afc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ab2f973b086df158644feecbcc001e11b95ccba7eb14b366c96717926a20afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/backtesting/__main__.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 81933, "scanner": "repobility-threat-engine", "fingerprint": "83d2ffea0276c077b26b1c1b0980f0b887d72cee156540cab7c28a66a6b2e123", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83d2ffea0276c077b26b1c1b0980f0b887d72cee156540cab7c28a66a6b2e123"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/backtester.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 81931, "scanner": "repobility-threat-engine", "fingerprint": "1ad034fbe327006c8d788088ccfb28a69ce7abe70b668124df9d70ae6a368d04", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ad034fbe327006c8d788088ccfb28a69ce7abe70b668124df9d70ae6a368d04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/backtesting/valuation.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 81930, "scanner": "repobility-threat-engine", "fingerprint": "d9b65440528e3f2904987407edb674c421a02c509c38073c7f660a36b88089b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9b65440528e3f2904987407edb674c421a02c509c38073c7f660a36b88089b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/backtesting/portfolio.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 81929, "scanner": "repobility-threat-engine", "fingerprint": "a4d244d26a19c61aebcc5c24c8fbd695272094fadbbf31a8f303cfe99bf1eeac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4d244d26a19c61aebcc5c24c8fbd695272094fadbbf31a8f303cfe99bf1eeac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/portfolio_manager.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 81928, "scanner": "repobility-threat-engine", "fingerprint": "9ea0c006edb5e751e5d420f89432da611427dfd52de01d8f98a2a1ea534f8874", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'^version\\s*=\\s*\\\"([^\\\"]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/release.sh|81|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release.sh"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81925, "scanner": "repobility-threat-engine", "fingerprint": "8443492112634b777ba21bd7fc4a121d2ae4395b00e398f14d10693c9144879b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8443492112634b777ba21bd7fc4a121d2ae4395b00e398f14d10693c9144879b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/frontend/src/nodes/components/json-output-dialog.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 81906, "scanner": "repobility-threat-engine", "fingerprint": "02a7bbd0a4b6bcfbecbc46fcf814e5c1c7914d580636ab4e93cc1cd8256e3c93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\n    \"/\",\n    response_model=FlowResponse,\n    responses={\n        400: {\"model\": Error", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|02a7bbd0a4b6bcfbecbc46fcf814e5c1c7914d580636ab4e93cc1cd8256e3c93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/flows.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 81905, "scanner": "repobility-threat-engine", "fingerprint": "e1690fa837a1e63bdd778cb349942edee2788f9c0952cbce241ed214e8895d3a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\n    \"/\",\n    response_model=FlowRunResponse,\n    responses={\n        404: {\"model\": Er", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1690fa837a1e63bdd778cb349942edee2788f9c0952cbce241ed214e8895d3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/flow_runs.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 81904, "scanner": "repobility-threat-engine", "fingerprint": "af3b3b7ce8f72aabc2e35494759cd48c4fbf3e8ca3a4cfdf22b61c238020c495", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\n    \"/\",\n    response_model=ApiKeyResponse,\n    responses={\n        400: {\"model\": Err", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af3b3b7ce8f72aabc2e35494759cd48c4fbf3e8ca3a4cfdf22b61c238020c495"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/api_keys.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81902, "scanner": "repobility-threat-engine", "fingerprint": "723ca9adaca112c85622b4c34248cc7bba9230b274b876c5ce91521754ce1603", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.db.delete(flow_run)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|723ca9adaca112c85622b4c34248cc7bba9230b274b876c5ce91521754ce1603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/flow_run_repository.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81901, "scanner": "repobility-threat-engine", "fingerprint": "75e4c51e1a04c8e1575583c8dac8218884b7836c57f5a47fdb79f9d8fe945eee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.db.delete(flow)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75e4c51e1a04c8e1575583c8dac8218884b7836c57f5a47fdb79f9d8fe945eee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/flow_repository.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81900, "scanner": "repobility-threat-engine", "fingerprint": "d6ee1af63a11eaac07196badd526e942f6f82a7ca7cd62504198244620897933", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.db.delete(api_key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d6ee1af63a11eaac07196badd526e942f6f82a7ca7cd62504198244620897933"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/api_key_repository.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 81892, "scanner": "repobility-threat-engine", "fingerprint": "98c119e87a07e2791f3ac2079b4c99386187e1d029a7bbf729900216652897b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98c119e87a07e2791f3ac2079b4c99386187e1d029a7bbf729900216652897b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/llm.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 81891, "scanner": "repobility-threat-engine", "fingerprint": "def870d1db7a92a2c87890e01fbf5a92af25c278b2a8f14314b7c08bbcae28ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|def870d1db7a92a2c87890e01fbf5a92af25c278b2a8f14314b7c08bbcae28ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/alembic/versions/3f9a6b7c8d2e_add_hedgefundflowruncycle_table.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.11-slim` not pinned by digest"}, "properties": {"repobilityId": 81845, "scanner": "repobility-supply-chain", "fingerprint": "7839478f3c96aeb1f714f88345c7249e240b4b47ff3cff2f9989fb4ecc1eb83d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7839478f3c96aeb1f714f88345c7249e240b4b47ff3cff2f9989fb4ecc1eb83d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /models/download/{model_name} has no auth"}, "properties": {"repobilityId": 81844, "scanner": "repobility-route-auth", "fingerprint": "1239ccb17a543109340f59089907c1428837373261561c3acef451931753b213", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|1239ccb17a543109340f59089907c1428837373261561c3acef451931753b213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/ollama.py"}, "region": {"startLine": 303}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /models/{model_name} has no auth"}, "properties": {"repobilityId": 81843, "scanner": "repobility-route-auth", "fingerprint": "c85ccac545f95ef0f255b8fb20fbebf18edc018eaa57f83288f5e88db9a76c87", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c85ccac545f95ef0f255b8fb20fbebf18edc018eaa57f83288f5e88db9a76c87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/ollama.py"}, "region": {"startLine": 250}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /models/download/progress has no auth"}, "properties": {"repobilityId": 81842, "scanner": "repobility-route-auth", "fingerprint": "b9c90dbc4f750c9573cb35284a1a68e82bff4381452b7384a5842312e025ef91", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|b9c90dbc4f750c9573cb35284a1a68e82bff4381452b7384a5842312e025ef91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/ollama.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /models/download has no auth"}, "properties": {"repobilityId": 81841, "scanner": "repobility-route-auth", "fingerprint": "0de8416e8c0c6da88cb3b942fa13be5c12f46629556e494726b34ab0ccac059d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|0de8416e8c0c6da88cb3b942fa13be5c12f46629556e494726b34ab0ccac059d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/ollama.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /stop has no auth"}, "properties": {"repobilityId": 81840, "scanner": "repobility-route-auth", "fingerprint": "13f808c8f03474af92359e443c7268a8460e79a2b2c26c44ea1811eeadb9acb2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|13f808c8f03474af92359e443c7268a8460e79a2b2c26c44ea1811eeadb9acb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/ollama.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /start has no auth"}, "properties": {"repobilityId": 81839, "scanner": "repobility-route-auth", "fingerprint": "f664f3ebb74617516b8295f957a819c61e1985062535be0209d0d9efd2fa69ce", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|f664f3ebb74617516b8295f957a819c61e1985062535be0209d0d9efd2fa69ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/ollama.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST (unknown path) has no auth"}, "properties": {"repobilityId": 81838, "scanner": "repobility-route-auth", "fingerprint": "005617b90b7f7c67d53e7d7c64da4c6a517f7a32f25b8581a06491e48940af82", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|005617b90b7f7c67d53e7d7c64da4c6a517f7a32f25b8581a06491e48940af82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/routes/storage.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.prefetch_data` used but never assigned in __init__"}, "properties": {"repobilityId": 81814, "scanner": "repobility-ast-engine", "fingerprint": "27acb1bf467373d4cc285b0c890edb7995adb51539d524ae417165b22671abf4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27acb1bf467373d4cc285b0c890edb7995adb51539d524ae417165b22671abf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/backtest_service.py"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.performance_metrics` used but never assigned in __init__"}, "properties": {"repobilityId": 81813, "scanner": "repobility-ast-engine", "fingerprint": "c5885dc0dd6ea22b7e90cbbab62810f27bbb94220bfb995e46178cbec98aef21", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5885dc0dd6ea22b7e90cbbab62810f27bbb94220bfb995e46178cbec98aef21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/services/backtest_service.py"}, "region": {"startLine": 505}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_flow_run_by_id` used but never assigned in __init__"}, "properties": {"repobilityId": 81812, "scanner": "repobility-ast-engine", "fingerprint": "03a977857bd9662a2a612612d788f2086281fec69ce3eb698c801ba3ddd86271", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|03a977857bd9662a2a612612d788f2086281fec69ce3eb698c801ba3ddd86271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/flow_run_repository.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_flow_run_by_id` used but never assigned in __init__"}, "properties": {"repobilityId": 81811, "scanner": "repobility-ast-engine", "fingerprint": "1a3f81b712b56dd1336226a2702d47180fe16c51148d6f96e75dece521d77075", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1a3f81b712b56dd1336226a2702d47180fe16c51148d6f96e75dece521d77075"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/flow_run_repository.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_next_run_number` used but never assigned in __init__"}, "properties": {"repobilityId": 81810, "scanner": "repobility-ast-engine", "fingerprint": "cd90e2adb8361868464f943cd95a57ffafa7dbc5650df9d3bcdc5f314acf344f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd90e2adb8361868464f943cd95a57ffafa7dbc5650df9d3bcdc5f314acf344f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/flow_run_repository.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.create_flow` used but never assigned in __init__"}, "properties": {"repobilityId": 81809, "scanner": "repobility-ast-engine", "fingerprint": "0b6de770683e3dbdc6e4cdd681a84055cfda573178948ea924cd11c448f64016", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b6de770683e3dbdc6e4cdd681a84055cfda573178948ea924cd11c448f64016"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/flow_repository.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_flow_by_id` used but never assigned in __init__"}, "properties": {"repobilityId": 81808, "scanner": "repobility-ast-engine", "fingerprint": "ade65a9b7421af6ee2fe13a5181df901a0e8ee31ff1be7be529dbb41bbab9ac2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ade65a9b7421af6ee2fe13a5181df901a0e8ee31ff1be7be529dbb41bbab9ac2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/flow_repository.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_flow_by_id` used but never assigned in __init__"}, "properties": {"repobilityId": 81807, "scanner": "repobility-ast-engine", "fingerprint": "a101a830c158c06cd7470128833b4a85784bdae0f7cbe2b5ad0371b32e21c5df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a101a830c158c06cd7470128833b4a85784bdae0f7cbe2b5ad0371b32e21c5df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/flow_repository.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_flow_by_id` used but never assigned in __init__"}, "properties": {"repobilityId": 81806, "scanner": "repobility-ast-engine", "fingerprint": "74b5f6b780aaf679111749a986285948a5bf77e5f726bfa37b142c432a20deb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|74b5f6b780aaf679111749a986285948a5bf77e5f726bfa37b142c432a20deb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/flow_repository.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.create_or_update_api_key` used but never assigned in __init__"}, "properties": {"repobilityId": 81805, "scanner": "repobility-ast-engine", "fingerprint": "83bfceeacdb009c5ff9472ad22097ae85cff5ebaea974d172c8a15b73de3dfd8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|83bfceeacdb009c5ff9472ad22097ae85cff5ebaea974d172c8a15b73de3dfd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/backend/repositories/api_key_repository.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._fill_signal` used but never assigned in __init__"}, "properties": {"repobilityId": 81802, "scanner": "repobility-ast-engine", "fingerprint": "b02c697604f13977469898440dd9c2f13295dac0e7c68c821f81934344961441", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b02c697604f13977469898440dd9c2f13295dac0e7c68c821f81934344961441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/backtesting/engine.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._compute_metrics` used but never assigned in __init__"}, "properties": {"repobilityId": 81801, "scanner": "repobility-ast-engine", "fingerprint": "d8f45b1c290ed27a872038d1a43cb6b89eac72d19f6db6a436e30884a3d0669d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d8f45b1c290ed27a872038d1a43cb6b89eac72d19f6db6a436e30884a3d0669d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/backtesting/engine.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._build_equity_curve` used but never assigned in __init__"}, "properties": {"repobilityId": 81800, "scanner": "repobility-ast-engine", "fingerprint": "400d689c11273b12586dcfa176e929df9162dac6ae6795e768d3ea6cff97d98d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|400d689c11273b12586dcfa176e929df9162dac6ae6795e768d3ea6cff97d98d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/backtesting/engine.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.run_signals` used but never assigned in __init__"}, "properties": {"repobilityId": 81799, "scanner": "repobility-ast-engine", "fingerprint": "3d4a00dd9ce6ff6d96750b7f422802977a8ccccb55f8dd4d08c4201f0226680c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d4a00dd9ce6ff6d96750b7f422802977a8ccccb55f8dd4d08c4201f0226680c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/backtesting/engine.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_exact"}, "properties": {"repobilityId": 81796, "scanner": "repobility-ast-engine", "fingerprint": "8ac124f372ea8998917ab6c29c08f9de8f0062fd94a46a1a4804b12a2ed6a5f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ac124f372ea8998917ab6c29c08f9de8f0062fd94a46a1a4804b12a2ed6a5f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/event_study/test_event_study.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._request` used but never assigned in __init__"}, "properties": {"repobilityId": 81795, "scanner": "repobility-ast-engine", "fingerprint": "9dc953e8064e9eb9dc7b93bb2eb8f473125cd33ba677e7eed82659e465cb10f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9dc953e8064e9eb9dc7b93bb2eb8f473125cd33ba677e7eed82659e465cb10f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_financial_metrics` used but never assigned in __init__"}, "properties": {"repobilityId": 81794, "scanner": "repobility-ast-engine", "fingerprint": "8e7375c3d6cbb4e5b79f28fe014e45d53831ff358d8ccf0c0aa13ad61e1677bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e7375c3d6cbb4e5b79f28fe014e45d53831ff358d8ccf0c0aa13ad61e1677bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_company_facts` used but never assigned in __init__"}, "properties": {"repobilityId": 81793, "scanner": "repobility-ast-engine", "fingerprint": "9c595c942dad44f7320c86f7a41b866f331917bda6a6dc00bf8e07914a02b8d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9c595c942dad44f7320c86f7a41b866f331917bda6a6dc00bf8e07914a02b8d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get` used but never assigned in __init__"}, "properties": {"repobilityId": 81792, "scanner": "repobility-ast-engine", "fingerprint": "190491def9b3acaf4c37e2d39afda39d460a83d22c0580dcfb9508706db25f2a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|190491def9b3acaf4c37e2d39afda39d460a83d22c0580dcfb9508706db25f2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get` used but never assigned in __init__"}, "properties": {"repobilityId": 81791, "scanner": "repobility-ast-engine", "fingerprint": "9382b0594a1b091c62c252fcd4b321769f250a063388eacd6f38d350eb91eaa1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9382b0594a1b091c62c252fcd4b321769f250a063388eacd6f38d350eb91eaa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._request` used but never assigned in __init__"}, "properties": {"repobilityId": 81790, "scanner": "repobility-ast-engine", "fingerprint": "0a00a93985edbd3589c4289ba9562c4ae7f18d99d4005102c65737702a7d0157", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0a00a93985edbd3589c4289ba9562c4ae7f18d99d4005102c65737702a7d0157"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get` used but never assigned in __init__"}, "properties": {"repobilityId": 81789, "scanner": "repobility-ast-engine", "fingerprint": "3f715550c4b47837d1f6d72cb97d0b29eb2ef1b2ae00ed8f934347ac73e6a213", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f715550c4b47837d1f6d72cb97d0b29eb2ef1b2ae00ed8f934347ac73e6a213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get` used but never assigned in __init__"}, "properties": {"repobilityId": 81788, "scanner": "repobility-ast-engine", "fingerprint": "604cc01ad0b808048fb3b02aeef823674db4eae7bd9eb7b7eedd85f33487a391", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|604cc01ad0b808048fb3b02aeef823674db4eae7bd9eb7b7eedd85f33487a391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get` used but never assigned in __init__"}, "properties": {"repobilityId": 81787, "scanner": "repobility-ast-engine", "fingerprint": "3fd4dca6af94f04bcae5e305b657237ddd66d20e87e1b2a060daae1a0c720e29", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3fd4dca6af94f04bcae5e305b657237ddd66d20e87e1b2a060daae1a0c720e29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get` used but never assigned in __init__"}, "properties": {"repobilityId": 81786, "scanner": "repobility-ast-engine", "fingerprint": "fb851a059f71be58bb00e76f8a9541b36ef1994463a3fbec8a4cc8a8999991c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb851a059f71be58bb00e76f8a9541b36ef1994463a3fbec8a4cc8a8999991c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.close` used but never assigned in __init__"}, "properties": {"repobilityId": 81785, "scanner": "repobility-ast-engine", "fingerprint": "0f6f54c21d9108d9e7652a6e8fbbe91a0b6b5c520ecf415294835f3c240fccd8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0f6f54c21d9108d9e7652a6e8fbbe91a0b6b5c520ecf415294835f3c240fccd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/data/client.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "GHSA-c67j-w6g6-q2cm", "level": "error", "message": {"text": "langchain-core: GHSA-c67j-w6g6-q2cm"}, "properties": {"repobilityId": 82046, "scanner": "osv-scanner", "fingerprint": "81770189fe9b4a13d67e71f3788afe45e6d5da278fbdd6a0c3a87fe1d2fb8ac2", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68664"], "package": "langchain-core", "rule_id": "GHSA-c67j-w6g6-q2cm", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2025-68664|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `signal` used but not imported"}, "properties": {"repobilityId": 81831, "scanner": "repobility-ast-engine", "fingerprint": "23b91aa7e466fe537e543348ad799d13d4a4650d107bbbb4ef61eadbb8baf43c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23b91aa7e466fe537e543348ad799d13d4a4650d107bbbb4ef61eadbb8baf43c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/display.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `signal` used but not imported"}, "properties": {"repobilityId": 81798, "scanner": "repobility-ast-engine", "fingerprint": "fc81614a9a36aa381798173b183089b1a10c5b8489084dcbc3bda3dc949187d9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fc81614a9a36aa381798173b183089b1a10c5b8489084dcbc3bda3dc949187d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/backtesting/engine.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `signal` used but not imported"}, "properties": {"repobilityId": 81797, "scanner": "repobility-ast-engine", "fingerprint": "84e1867e1ad7c1696fccf625de557c8e9f94af3bc7e33ebd324102a6fa7e1a35", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84e1867e1ad7c1696fccf625de557c8e9f94af3bc7e33ebd324102a6fa7e1a35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/backtesting/test_backtest.py"}, "region": {"startLine": 63}}}]}]}]}