{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `packaging` is 6 major version(s) behind (20.9 -> 26.2)", "shortDescription": {"text": "Python package `packaging` is 6 major version(s) behind (20.9 -> 26.2)"}, "fullDescription": {"text": "`packaging==20.9` is 6 major version(s) behind the latest stable release on PyPI (26.2). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED039", "name": "[MINED039] Rust Todo Macro (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED039] Rust Todo Macro (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 21 more): Same pattern found in 21 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 21 more): Same pattern found in 21 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0320", "name": "yaml-rust: RUSTSEC-2024-0320", "shortDescription": {"text": "yaml-rust: RUSTSEC-2024-0320"}, "fullDescription": {"text": "yaml-rust is unmaintained."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0098", "name": "unic-ucd-version: RUSTSEC-2025-0098", "shortDescription": {"text": "unic-ucd-version: RUSTSEC-2025-0098"}, "fullDescription": {"text": "`unic-ucd-version` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0104", "name": "unic-ucd-segment: RUSTSEC-2025-0104", "shortDescription": {"text": "unic-ucd-segment: RUSTSEC-2025-0104"}, "fullDescription": {"text": "`unic-ucd-segment` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0074", "name": "unic-segment: RUSTSEC-2025-0074", "shortDescription": {"text": "unic-segment: RUSTSEC-2025-0074"}, "fullDescription": {"text": "`unic-segment` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0080", "name": "unic-common: RUSTSEC-2025-0080", "shortDescription": {"text": "unic-common: RUSTSEC-2025-0080"}, "fullDescription": {"text": "`unic-common` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0075", "name": "unic-char-range: RUSTSEC-2025-0075", "shortDescription": {"text": "unic-char-range: RUSTSEC-2025-0075"}, "fullDescription": {"text": "`unic-char-range` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0081", "name": "unic-char-property: RUSTSEC-2025-0081", "shortDescription": {"text": "unic-char-property: RUSTSEC-2025-0081"}, "fullDescription": {"text": "`unic-char-property` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0009", "name": "time: RUSTSEC-2026-0009", "shortDescription": {"text": "time: RUSTSEC-2026-0009"}, "fullDescription": {"text": "Denial of Service via Stack Exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2021-0127", "name": "serde_cbor: RUSTSEC-2021-0127", "shortDescription": {"text": "serde_cbor: RUSTSEC-2021-0127"}, "fullDescription": {"text": "serde_cbor is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0026", "name": "registry: RUSTSEC-2025-0026", "shortDescription": {"text": "registry: RUSTSEC-2025-0026"}, "fullDescription": {"text": "registry is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0097", "name": "rand: RUSTSEC-2026-0097", "shortDescription": {"text": "rand: RUSTSEC-2026-0097"}, "fullDescription": {"text": "Rand is unsound with a custom logger using `rand::rng()`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0436", "name": "paste: RUSTSEC-2024-0436", "shortDescription": {"text": "paste: RUSTSEC-2024-0436"}, "fullDescription": {"text": "paste - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0119", "name": "number_prefix: RUSTSEC-2025-0119", "shortDescription": {"text": "number_prefix: RUSTSEC-2025-0119"}, "fullDescription": {"text": "number_prefix crate is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0384", "name": "instant: RUSTSEC-2024-0384", "shortDescription": {"text": "instant: RUSTSEC-2024-0384"}, "fullDescription": {"text": "`instant` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0375", "name": "atty: RUSTSEC-2024-0375", "shortDescription": {"text": "atty: RUSTSEC-2024-0375"}, "fullDescription": {"text": "`atty` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2021-0145", "name": "atty: RUSTSEC-2021-0145", "shortDescription": {"text": "atty: RUSTSEC-2021-0145"}, "fullDescription": {"text": "Potential unaligned read"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `rust:slim-bookworm` unpinned", "shortDescription": {"text": "Workflow container/services image `rust:slim-bookworm` unpinned"}, "fullDescription": {"text": "`container/services image: rust:slim-bookworm` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/cache` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/cache` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `centos:7` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `centos:7` not pinned by digest"}, "fullDescription": {"text": "`FROM centos:7` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_version_printing", "shortDescription": {"text": "Phantom test coverage: test_version_printing"}, "fullDescription": {"text": "Test function `test_version_printing` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.path` used but never assigned in __init__", "shortDescription": {"text": "`self.path` used but never assigned in __init__"}, "fullDescription": {"text": "Method `compile_test_script` of class `RustCrate` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1368"}, "properties": {"repository": "spkenv/spk", "repoUrl": "https://github.com/spkenv/spk", "branch": "main"}, "results": [{"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 140096, "scanner": "repobility-docker", "fingerprint": "1096bd82e717d8ba5cc48fd0c2022d14f05fb2001f9b44dc145223ff764d334b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "centos:7", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1096bd82e717d8ba5cc48fd0c2022d14f05fb2001f9b44dc145223ff764d334b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 140093, "scanner": "repobility-threat-engine", "fingerprint": "36f8cd3ba750d52f32c4caaffba7c0f1aae1f3e0ef7dab83beb700c089e2d1eb", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(y){}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|36f8cd3ba750d52f32c4caaffba7c0f1aae1f3e0ef7dab83beb700c089e2d1eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/static/js/modernizr.custom-3.6.0.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 140073, "scanner": "repobility-threat-engine", "fingerprint": "2e6c7f970c00bbcb1938bb2881f5a531c583c57b52bbf4febd44a20d0e29feee", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|144|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/cmd-env/src/cmd_env.rs"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 140072, "scanner": "repobility-threat-engine", "fingerprint": "20ff04c837cd2c17148cba32063c2cc1231dac2e53854be483c44fbbe8adf343", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|218|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs-cli/main/src/bin.rs"}, "region": {"startLine": 218}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 140071, "scanner": "repobility-threat-engine", "fingerprint": "8d764e2099ad7c8a6eb229812cc15453f305b60c9626a4b436fa7ffd3bda7999", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|149|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs-cli/cmd-join/src/cmd_join.rs"}, "region": {"startLine": 149}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 140052, "scanner": "repobility-agent-runtime", "fingerprint": "20ab08e2dccbcb4129b9e47d4d226da9aaac1e0e2dc524b93b0f8cf0bcbeec34", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|20ab08e2dccbcb4129b9e47d4d226da9aaac1e0e2dc524b93b0f8cf0bcbeec34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/unittests.sh"}, "region": {"startLine": 13}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `packaging` is 6 major version(s) behind (20.9 -> 26.2)"}, "properties": {"repobilityId": 140050, "scanner": "repobility-dependency-currency", "fingerprint": "f0301b02c8c06be1406cf3e6afaf047f0ed724617ba619551b772da1e648ede4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "6 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "packaging", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "26.2", "correlation_key": "fp|f0301b02c8c06be1406cf3e6afaf047f0ed724617ba619551b772da1e648ede4", "current_version": "20.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/spk-convert-pip/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 140097, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `wheel` is minor version(s) behind (0.46.2 -> 0.47.0)"}, "properties": {"repobilityId": 140051, "scanner": "repobility-dependency-currency", "fingerprint": "178fb6626d85a1dda79b456eddf0cc52f1d24ff2e7019d42bc5d01313ee12e8a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "wheel", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.47.0", "correlation_key": "fp|178fb6626d85a1dda79b456eddf0cc52f1d24ff2e7019d42bc5d01313ee12e8a", "current_version": "0.46.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/spk-convert-pip/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `pkginfo` is minor version(s) behind (1.10.0 -> 1.12.1.2)"}, "properties": {"repobilityId": 140048, "scanner": "repobility-dependency-currency", "fingerprint": "5f6856db5bcfe33e34ccdcd23d51fa0e5658ca79b255b0d7a8276aa98f8e6443", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pkginfo", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.12.1.2", "correlation_key": "fp|5f6856db5bcfe33e34ccdcd23d51fa0e5658ca79b255b0d7a8276aa98f8e6443", "current_version": "1.10.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/spk-convert-pip/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 140004, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1868fe8fd57fabb2bb5dda0151c8607061e1630c6683cf7e24a457ae640ae073", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-schema/src/v0/embedded_install_spec.rs", "duplicate_line": 5, "correlation_key": "fp|1868fe8fd57fabb2bb5dda0151c8607061e1630c6683cf7e24a457ae640ae073"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-schema/src/v0/embedded_recipe_install_spec.rs"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 140003, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6bdf631f6dc6f985e048b7ef66b93aac5c4c7ec46bcac4fc1339a7f7db008f9b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-schema/crates/foundation/src/ident/parsing/parsing_test.rs", "duplicate_line": 16, "correlation_key": "fp|6bdf631f6dc6f985e048b7ef66b93aac5c4c7ec46bcac4fc1339a7f7db008f9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-schema/crates/foundation/src/version_range/parsing/version_range.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 140002, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45ea0c81d89982ce0b9fcb563db9c9bf09f0bf45866a5ca9a1a4f5fda27a8ad2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-schema/crates/foundation/src/ident/pinnable_request_test.rs", "duplicate_line": 3, "correlation_key": "fp|45ea0c81d89982ce0b9fcb563db9c9bf09f0bf45866a5ca9a1a4f5fda27a8ad2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-schema/crates/foundation/src/ident/pinned_request_test.rs"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 140001, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba1dbc1f920425c5e90ec3ccf4512e918695383693d195acb24cee641f839722", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs/src/config.rs", "duplicate_line": 386, "correlation_key": "fp|ba1dbc1f920425c5e90ec3ccf4512e918695383693d195acb24cee641f839722"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-config/src/config.rs"}, "region": {"startLine": 142}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 140000, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e955587afd39bbc56f23b71705ea3b09eae93082490ce2c5e26108bca294c6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs-cli/main/src/cmd_info.rs", "duplicate_line": 217, "correlation_key": "fp|5e955587afd39bbc56f23b71705ea3b09eae93082490ce2c5e26108bca294c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/group4/src/cmd_view.rs"}, "region": {"startLine": 420}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139999, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8736af3d5d81f464f4b2d9c0238209ba2dff219631a3dbaeb06b2066574724c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-cli/group3/src/cmd_export_test.rs", "duplicate_line": 68, "correlation_key": "fp|8736af3d5d81f464f4b2d9c0238209ba2dff219631a3dbaeb06b2066574724c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/group3/src/cmd_import_test.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139998, "scanner": "repobility-ai-code-hygiene", "fingerprint": "195d296145594fdfde87eb7bd39d74a4649ea928de700e16167b7709e10419a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-build/src/archive_test.rs", "duplicate_line": 16, "correlation_key": "fp|195d296145594fdfde87eb7bd39d74a4649ea928de700e16167b7709e10419a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/group3/src/cmd_import_test.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139997, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0fc4dcd9b528847dc516ae3c1000f69374479195200330c826235c36e5a3680", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-cli/group2/src/cmd_ls_test.rs", "duplicate_line": 12, "correlation_key": "fp|b0fc4dcd9b528847dc516ae3c1000f69374479195200330c826235c36e5a3680"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/group2/src/cmd_stats_test.rs"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139996, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db5352356c63545f3ca4fbf93ac34e3156b51ae380d60aee9bff63e1bdae9155", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-cli/group1/src/cmd_deprecate_test.rs", "duplicate_line": 19, "correlation_key": "fp|db5352356c63545f3ca4fbf93ac34e3156b51ae380d60aee9bff63e1bdae9155"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/group1/src/cmd_undeprecate_test.rs"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139995, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95424fff70b6560406cc2a48766c6b274079892ce1548a2e11d4f7780b0f2d54", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-cli/cmd-env/src/cmd_env.rs", "duplicate_line": 38, "correlation_key": "fp|95424fff70b6560406cc2a48766c6b274079892ce1548a2e11d4f7780b0f2d54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/group1/src/cmd_bake.rs"}, "region": {"startLine": 121}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139994, "scanner": "repobility-ai-code-hygiene", "fingerprint": "106d57fc25cafc508d2c34449499ba963c3777606485fb4489fc81f7c4e02c71", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-build/src/error.rs", "duplicate_line": 31, "correlation_key": "fp|106d57fc25cafc508d2c34449499ba963c3777606485fb4489fc81f7c4e02c71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/common/src/error.rs"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139993, "scanner": "repobility-ai-code-hygiene", "fingerprint": "146c33295c1b7975b8faa38b63ae7f8ba19e797ea313e263b97da9b506115252", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs-cli/common/src/args.rs", "duplicate_line": 140, "correlation_key": "fp|146c33295c1b7975b8faa38b63ae7f8ba19e797ea313e263b97da9b506115252"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/common/src/env.rs"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139992, "scanner": "repobility-ai-code-hygiene", "fingerprint": "811949569ae424d997bdada186bcc9496df3dca8360c43542d763a49c417da69", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-cli/cmd-env/src/cmd_env.rs", "duplicate_line": 37, "correlation_key": "fp|811949569ae424d997bdada186bcc9496df3dca8360c43542d763a49c417da69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/cmd-explain/src/cmd_explain.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139991, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a185f2503d83d6d726151eb28dc950e9eb5a571d558a3390aecd2cb5c1e5275", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-cli/cmd-build/src/cmd_build_test/environment.rs", "duplicate_line": 52, "correlation_key": "fp|2a185f2503d83d6d726151eb28dc950e9eb5a571d558a3390aecd2cb5c1e5275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/cmd-build/src/cmd_build_test/mod.rs"}, "region": {"startLine": 364}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139990, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e0d190ab8551aebe05e63fc4e15c34cd2082c0478b52a9361d3c22d460d5ba6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-build/src/validation/long_var_description_test.rs", "duplicate_line": 18, "correlation_key": "fp|2e0d190ab8551aebe05e63fc4e15c34cd2082c0478b52a9361d3c22d460d5ba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-build/src/validation/strong_inheritance_var_desc_test.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139989, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b73ac40e15ab381696e365d2a74b1e4d5ffd0b2b0f63d59e8d87cea507e13416", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-build/src/validation/empty_package.rs", "duplicate_line": 20, "correlation_key": "fp|b73ac40e15ab381696e365d2a74b1e4d5ffd0b2b0f63d59e8d87cea507e13416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-build/src/validation/spdx_license.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139988, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dfb03ae9b51b308484fd442c5203dfd290f88f8740309c52edb69e5ac5b9e3be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spk-build/src/validation/alter_existing_files_test.rs", "duplicate_line": 22, "correlation_key": "fp|dfb03ae9b51b308484fd442c5203dfd290f88f8740309c52edb69e5ac5b9e3be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-build/src/validation/collect_all_files_test.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139987, "scanner": "repobility-ai-code-hygiene", "fingerprint": "54c0c07ace4b404302651d5b8140074ffebaa25eeafc9f917f27f0ffcdf6496b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs/src/storage/pinned/tag.rs", "duplicate_line": 94, "correlation_key": "fp|54c0c07ace4b404302651d5b8140074ffebaa25eeafc9f917f27f0ffcdf6496b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs/src/storage/tag.rs"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139986, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5c3ac4094fa4342643e442f74a6cb19f14857a710015110f37808ca1f108ff2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs/src/server/payload.rs", "duplicate_line": 170, "correlation_key": "fp|d5c3ac4094fa4342643e442f74a6cb19f14857a710015110f37808ca1f108ff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs/src/storage/rpc/payload.rs"}, "region": {"startLine": 177}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139985, "scanner": "repobility-ai-code-hygiene", "fingerprint": "62c144bd31cc980e10d7e133fb955bea864a3aed5eca4e0605ef685a11690cf8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs/src/storage/fallback/repository.rs", "duplicate_line": 132, "correlation_key": "fp|62c144bd31cc980e10d7e133fb955bea864a3aed5eca4e0605ef685a11690cf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs/src/storage/proxy/repository.rs"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139984, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aeb4f7a122d3cfba7fd81cdaebc16c5c6959c55fae2df47348b31f32673b5b77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs/src/storage/fs/renderer.rs", "duplicate_line": 113, "correlation_key": "fp|aeb4f7a122d3cfba7fd81cdaebc16c5c6959c55fae2df47348b31f32673b5b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs/src/storage/fs/repository.rs"}, "region": {"startLine": 552}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139983, "scanner": "repobility-ai-code-hygiene", "fingerprint": "285360aae4f5f6bd7c8ac411749b553c48b94eba5789111a5aa2ee4b0d83076f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs/src/runtime/startup_csh.rs", "duplicate_line": 1, "correlation_key": "fp|285360aae4f5f6bd7c8ac411749b553c48b94eba5789111a5aa2ee4b0d83076f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs/src/runtime/startup_sh.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139982, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3723cf29d3621aeb64daa44914c55ddf9698fd786adfc03a8933eed0d25e1c20", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs-cli/main/src/cmd_server.rs", "duplicate_line": 48, "correlation_key": "fp|3723cf29d3621aeb64daa44914c55ddf9698fd786adfc03a8933eed0d25e1c20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs/src/fixtures.rs"}, "region": {"startLine": 175}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139981, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bff886d047dc719abcad6dedee2b32381671cdf4f0be47b7756f748e93b7867", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs-vfs/src/fuse.rs", "duplicate_line": 77, "correlation_key": "fp|0bff886d047dc719abcad6dedee2b32381671cdf4f0be47b7756f748e93b7867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs-vfs/src/winfsp/mount.rs"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139980, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6299eb48954e571e39f828b9a7b43f8f934879e9c561aad861847cd372d2a0a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs-cli/main/src/cmd_info.rs", "duplicate_line": 45, "correlation_key": "fp|6299eb48954e571e39f828b9a7b43f8f934879e9c561aad861847cd372d2a0a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs-cli/main/src/cmd_platforms.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139979, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ed8ed798ef78ca8d7dde11023e5d0c7d112dac8695b50e28628355187e59274", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs-cli/main/src/cmd_layers.rs", "duplicate_line": 19, "correlation_key": "fp|9ed8ed798ef78ca8d7dde11023e5d0c7d112dac8695b50e28628355187e59274"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs-cli/main/src/cmd_platforms.rs"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 139978, "scanner": "repobility-ai-code-hygiene", "fingerprint": "652617f5984ef732440b3c4c5fb0d9ebfe14747023dfd38288488dce27f6ec60", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/spfs-cli/main/src/cmd_info.rs", "duplicate_line": 45, "correlation_key": "fp|652617f5984ef732440b3c4c5fb0d9ebfe14747023dfd38288488dce27f6ec60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs-cli/main/src/cmd_layers.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 139977, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae24ca500fef89878431297ebe6866c04c7c3a08a7e793a0dcdb4bab40bdd947", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "new", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ae24ca500fef89878431297ebe6866c04c7c3a08a7e793a0dcdb4bab40bdd947"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spk-cli/group2/src/cmd_new.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 139976, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4643a07132fdca3192cd424455f995faa365fbba6af91154badfb530b92805e", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "clean", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f4643a07132fdca3192cd424455f995faa365fbba6af91154badfb530b92805e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/spfs-cli/cmd-clean/src/cmd_clean.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 140095, "scanner": "repobility-threat-engine", "fingerprint": "feac00b1359791b289511fb43c506e6096ff02ad6bfefaff51c819dd882f3266", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|feac00b1359791b289511fb43c506e6096ff02ad6bfefaff51c819dd882f3266"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/static/js/search.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 140092, "scanner": "repobility-threat-engine", "fingerprint": "be39972b42eade2efdb813c9683c8b2ddccf465b8a9083b0879150675e1e9b02", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "evidence": {"match": "\"@supports (\"+i+\") { #modernizr { position: absolute; } }\"", "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|be39972b42eade2efdb813c9683c8b2ddccf465b8a9083b0879150675e1e9b02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/static/js/modernizr.custom-3.6.0.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any