{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Prefer a named volume or a host path outside the build context. If a repo-local path is required, add it to .dockerignore and .gitignore and verify backups separately."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `mongodb_container` image uses the latest tag", "shortDescription": {"text": "Compose service `mongodb_container` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED092", "name": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection.", "shortDescription": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 12 more): Same pattern found in 12 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 25 more): Same pattern found in 25 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED083] Java Thread Start (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. T", "shortDescription": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantl"}, "fullDescription": {"text": "Replace with: `uses: actions/cache@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC101", "name": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes int", "shortDescription": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "fullDescription": {"text": "Avoid native Java serialization entirely. Use JSON (Jackson with default-typing OFF) or a length-limited Protobuf. If you must, set up a SerialKiller / lookahead-deserializer with a class allowlist."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/776"}, "properties": {"repository": "iluwatar/java-design-patterns", "repoUrl": "https://github.com/iluwatar/java-design-patterns", "branch": "master"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 65405, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 65404, "scanner": "repobility-docker", "fingerprint": "9c9ee5c0de279cf78b2841819911b7d1d89caf113b75bad9c24552b7bca1079a", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongodb_container", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|9c9ee5c0de279cf78b2841819911b7d1d89caf113b75bad9c24552b7bca1079a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "caching/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 65403, "scanner": "repobility-docker", "fingerprint": "79495cd2b8cc798e3380fbd24caa3e368f09c0fcc3cb9a3f468a7d300ec6a580", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./mongo-data/", "target": "/data/db", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "mongodb_container", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|79495cd2b8cc798e3380fbd24caa3e368f09c0fcc3cb9a3f468a7d300ec6a580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "caching/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `mongodb_container` image uses the latest tag"}, "properties": {"repobilityId": 65400, "scanner": "repobility-docker", "fingerprint": "bd241c3254325e736cf1e41c50f20b85c6dfbf69ca2c395c4fa13d0315098742", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mongo:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bd241c3254325e736cf1e41c50f20b85c6dfbf69ca2c395c4fa13d0315098742"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "caching/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65389, "scanner": "repobility-threat-engine", "fingerprint": "58968dd36ffeaa4712844072fe8f124da14384ef4dd8b60f3436f97ef8284633", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|81|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 65373, "scanner": "repobility-threat-engine", "fingerprint": "1c667e36dbb7b1ca07a9cab24f6d1f604b31a674473111d73bc2216554e1ebc9", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOGGER.info(\"create user: \" + user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1c667e36dbb7b1ca07a9cab24f6d1f604b31a674473111d73bc2216554e1ebc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "metadata-mapping/src/main/java/com/iluwatar/metamapping/service/UserService.java"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 65372, "scanner": "repobility-threat-engine", "fingerprint": "156785fc448f3eb80ce1c231400488f6b895c99bd8c4aa0a64b201b2b521c3b7", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOGGER.info(\"Add user\" + user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|156785fc448f3eb80ce1c231400488f6b895c99bd8c4aa0a64b201b2b521c3b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "metadata-mapping/src/main/java/com/iluwatar/metamapping/App.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 65371, "scanner": "repobility-threat-engine", "fingerprint": "12095e37cc487f5aafc450bc128797ae98069ba0c4a78e6135cf5a74c445a9a3", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOGGER.info(\n        \"Processing Request with client: \"\n            + request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12095e37cc487f5aafc450bc128797ae98069ba0c4a78e6135cf5a74c445a9a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client-session/src/main/java/com/iluwatar/client/session/Server.java"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 65370, "scanner": "repobility-threat-engine", "fingerprint": "7dbc881d06d3f7ae163546b96360f2b64861139be9ae1ff0ce0bc0b8e341fecd", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.9 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (2.9 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "caching/src/main/java/com/iluwatar/caching/database/MongoDb.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65399, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0eb34e8964a484e1c398eda4e9bcdadaa8ec6682d6def444074a843b7059492c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "leader-election/src/main/java/com/iluwatar/leaderelection/bully/BullyApp.java", "duplicate_line": 22, "correlation_key": "fp|0eb34e8964a484e1c398eda4e9bcdadaa8ec6682d6def444074a843b7059492c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "leader-election/src/main/java/com/iluwatar/leaderelection/ring/RingApp.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65398, "scanner": "repobility-ai-code-hygiene", "fingerprint": "04e5efda09f21aa5105e3017d17eac9d9887a60df5dadf9e74ac7abf1a6c2b13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "layered-architecture/src/main/java/entity/CakeLayer.java", "duplicate_line": 8, "correlation_key": "fp|04e5efda09f21aa5105e3017d17eac9d9887a60df5dadf9e74ac7abf1a6c2b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "layered-architecture/src/main/java/entity/CakeTopping.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65397, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ede03d9e0bfe524229f61278d865f26b114e2e036effa9e1c230233dde580457", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "data-bus/src/main/java/com/iluwatar/databus/AbstractDataType.java", "duplicate_line": 1, "correlation_key": "fp|ede03d9e0bfe524229f61278d865f26b114e2e036effa9e1c230233dde580457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data-bus/src/main/java/com/iluwatar/databus/Member.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65396, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c5fb3a992d9f2724d85ceb4b628bfe819288fc23ebb77c5b83a11130f69ff23", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "data-bus/src/main/java/com/iluwatar/databus/AbstractDataType.java", "duplicate_line": 1, "correlation_key": "fp|0c5fb3a992d9f2724d85ceb4b628bfe819288fc23ebb77c5b83a11130f69ff23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data-bus/src/main/java/com/iluwatar/databus/DataType.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 65385, "scanner": "repobility-threat-engine", "fingerprint": "86b2a8e52d562c6f662a1679ee8779a25c49524ac97370e00ad76ebcf44fd43f", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\", price=\"\n            + price\n            + \", cost=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|86b2a8e52d562c6f662a1679ee8779a25c49524ac97370e00ad76ebcf44fd43f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data-transfer-object/src/main/java/com/iluwatar/datatransfer/product/ProductDto.java"}, "region": {"startLine": 196}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 65384, "scanner": "repobility-threat-engine", "fingerprint": "729776d73e8b9922dd9cca97d58fd172f026eac7f8596716f4240b477c8fb60e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\", price=\"\n        + price\n        + \", cost=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|729776d73e8b9922dd9cca97d58fd172f026eac7f8596716f4240b477c8fb60e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data-transfer-object/src/main/java/com/iluwatar/datatransfer/product/Product.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 65383, "scanner": "repobility-threat-engine", "fingerprint": "525787f21c2abb131a085d48f610bb15b51e1679b0cdb6e593c7b681bdf3c9d7", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Student [\" + name + \"] is not found\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|525787f21c2abb131a085d48f610bb15b51e1679b0cdb6e593c7b681bdf3c9d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data-mapper/src/main/java/com/iluwatar/datamapper/StudentDataMapperImpl.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 65395, "scanner": "repobility-threat-engine", "fingerprint": "9f6d906c14c65f4deed2c2611ddee596c9cd2b315bb56ed9923c3f61a1af6a67", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f6d906c14c65f4deed2c2611ddee596c9cd2b315bb56ed9923c3f61a1af6a67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "template-method/src/main/java/com/iluwatar/templatemethod/HalflingThief.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 65394, "scanner": "repobility-threat-engine", "fingerprint": "99f96e8638dac48a8722f2c2fa1719d5b7bae4284ec7f04b713acd4bb75c7ada", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|99f96e8638dac48a8722f2c2fa1719d5b7bae4284ec7f04b713acd4bb75c7ada"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "template-method/src/main/java/com/iluwatar/templatemethod/App.java"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 65390, "scanner": "repobility-threat-engine", "fingerprint": "a099194e6cc65010cbbdb7ea1121760ce33324de9bdcc00800485e48b83ba831", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a099194e6cc65010cbbdb7ea1121760ce33324de9bdcc00800485e48b83ba831"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 65388, "scanner": "repobility-threat-engine", "fingerprint": "533b9b6aeabdcc7ef1425ac70ec35cd4e10773caddfcb5be843d5767d08ceaff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|533b9b6aeabdcc7ef1425ac70ec35cd4e10773caddfcb5be843d5767d08ceaff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "page-object/src/main/java/com/iluwatar/pageobject/App.java"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 65387, "scanner": "repobility-threat-engine", "fingerprint": "cb5a9d12c9def0904dbfa364522b5fafafec832bbbde337bd28e65390f73b97c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb5a9d12c9def0904dbfa364522b5fafafec832bbbde337bd28e65390f73b97c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mute-idiom/src/main/java/com/iluwatar/mute/Mute.java"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 65386, "scanner": "repobility-threat-engine", "fingerprint": "66395a6fcf0f3ecee9316826f6d915a403ea9b1b0d59964772bfe6cba15fe878", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|66395a6fcf0f3ecee9316826f6d915a403ea9b1b0d59964772bfe6cba15fe878"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 65382, "scanner": "repobility-threat-engine", "fingerprint": "2dd7741d048fa4125233f4d38169b7b6bfcf254bfbcc6b391ac104e43dd71249", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2dd7741d048fa4125233f4d38169b7b6bfcf254bfbcc6b391ac104e43dd71249"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 65377, "scanner": "repobility-threat-engine", "fingerprint": "d5543183bc8b9d040a29f3eb47255fa6e0230b8707183d0d871de9cc7ef84d30", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "LOGGER.info(chamberOfSecrets.toString()", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|logger.info chamberofsecrets.tostring"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "currying/src/main/java/com/iluwatar/currying/App.java"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 65376, "scanner": "repobility-threat-engine", "fingerprint": "7382e2c46dc1814619d45eb53229b3f9372e60df345d3ad91aa391b92890ec84", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|51|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server-session/src/main/java/com/iluwatar/sessionserver/LoginHandler.java"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 65375, "scanner": "repobility-threat-engine", "fingerprint": "3d9d5a49f932b859f33fd62f85a7400f9700a144a85414820a381ad31fbe98dd", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|60|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "microservices-idempotent-consumer/src/main/java/com/iluwatar/idempotentconsumer/App.java"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 65374, "scanner": "repobility-threat-engine", "fingerprint": "93d2b92a7aa54e6194d722a30f7080a429ecf1999ef12523515f6d1f106e913f", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|52|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client-session/src/main/java/com/iluwatar/client/session/Server.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 65369, "scanner": "repobility-threat-engine", "fingerprint": "53bf8a87e25814ffe2ca4fb2b663efa0ec5d19c7b351535829863994b9f832b3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|53bf8a87e25814ffe2ca4fb2b663efa0ec5d19c7b351535829863994b9f832b3"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 65365, "scanner": "repobility-threat-engine", "fingerprint": "59f9cd8d49d624e06d0357b8bd23b8f4d32c471b9979518195b139b9f3054721", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|59f9cd8d49d624e06d0357b8bd23b8f4d32c471b9979518195b139b9f3054721", "aggregated_count": 9}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 65364, "scanner": "repobility-threat-engine", "fingerprint": "79030322da9f1383e37cd213dab84fea7bd877332d47508d8d18e61739bb7fb1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79030322da9f1383e37cd213dab84fea7bd877332d47508d8d18e61739bb7fb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "caching/src/main/java/com/iluwatar/caching/AppManager.java"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 65363, "scanner": "repobility-threat-engine", "fingerprint": "adfe705103f1b3964152d7671007327a4147a1263d013c6f51c377c856c2c3a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|adfe705103f1b3964152d7671007327a4147a1263d013c6f51c377c856c2c3a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "async-method-invocation/src/main/java/com/iluwatar/async/method/invocation/ThreadAsyncExecutor.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 65362, "scanner": "repobility-threat-engine", "fingerprint": "37d1b3d64c73a1015c7b10e1a6b24cb8cab944e3ac1ab5c36c404fa6f21440fd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37d1b3d64c73a1015c7b10e1a6b24cb8cab944e3ac1ab5c36c404fa6f21440fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "active-object/src/main/java/com/iluwatar/activeobject/ActiveCreature.java"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65414, "scanner": "repobility-supply-chain", "fingerprint": "bc4d35531d9b5abbfac04c959aa15ee1a43c857fb5734eed0ac9cf3ff8aa701a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc4d35531d9b5abbfac04c959aa15ee1a43c857fb5734eed0ac9cf3ff8aa701a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/maven-ci.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65413, "scanner": "repobility-supply-chain", "fingerprint": "89b0ce119634c81e8236fce4cd99d07b61b97825a2873c896a2896ab7532a7bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89b0ce119634c81e8236fce4cd99d07b61b97825a2873c896a2896ab7532a7bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/maven-ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65412, "scanner": "repobility-supply-chain", "fingerprint": "2b0d77a3dc76b72c7ae6aeda7aa250c4969c700a4a853fa47e77eb9cfcf98b33", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b0d77a3dc76b72c7ae6aeda7aa250c4969c700a4a853fa47e77eb9cfcf98b33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/maven-ci.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65411, "scanner": "repobility-supply-chain", "fingerprint": "fb61987e36ebf613f99e2ed8fa2ab6652c370a04efca0f88884eb18f2c0765c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb61987e36ebf613f99e2ed8fa2ab6652c370a04efca0f88884eb18f2c0765c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/maven-ci.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v9`: `uses: actions/stale@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65410, "scanner": "repobility-supply-chain", "fingerprint": "a6ecf0a455d8a5b6572124c46529265b25303c91b360e8376ae42ac9a94f9348", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6ecf0a455d8a5b6572124c46529265b25303c91b360e8376ae42ac9a94f9348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `presubmit/ai-reviewer` pinned to mutable ref `@latest`: `uses: presubmit/ai-reviewer@latest` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65409, "scanner": "repobility-supply-chain", "fingerprint": "6723b39997fa2fc15ed462f32348f6deb04b77b7e1deb97a5941e163e854abe8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6723b39997fa2fc15ed462f32348f6deb04b77b7e1deb97a5941e163e854abe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/presubmit.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65408, "scanner": "repobility-supply-chain", "fingerprint": "f530f8f791caf4d6fde35c7b74bd31fe6d0f03c1ff8a3cc164cec498cecd994d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f530f8f791caf4d6fde35c7b74bd31fe6d0f03c1ff8a3cc164cec498cecd994d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/maven-pr-builder.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65407, "scanner": "repobility-supply-chain", "fingerprint": "9c4ac5d30b4e1e2559154af59a5b4a942d2f27c137aa2f73dc5edfab92840c17", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c4ac5d30b4e1e2559154af59a5b4a942d2f27c137aa2f73dc5edfab92840c17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/maven-pr-builder.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65406, "scanner": "repobility-supply-chain", "fingerprint": "d883fd509a62af8a20c4b0a3c447571a8a614e1f60f5801a160f08a8cc78e6d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d883fd509a62af8a20c4b0a3c447571a8a614e1f60f5801a160f08a8cc78e6d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/maven-pr-builder.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 65402, "scanner": "repobility-docker", "fingerprint": "e4a589b389dc6110e3ea5f41d30b227f3db5f90538d3f9110354dfaebedbd7dc", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongodb_container", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|e4a589b389dc6110e3ea5f41d30b227f3db5f90538d3f9110354dfaebedbd7dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "caching/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65381, "scanner": "repobility-threat-engine", "fingerprint": "806f29c2366817fd3a4a7dbb58fb6a3872ca7b68272bf108ca0ef7a387850963", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(H", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|806f29c2366817fd3a4a7dbb58fb6a3872ca7b68272bf108ca0ef7a387850963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "domain-model/src/main/java/com/iluwatar/domainmodel/App.java"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65380, "scanner": "repobility-threat-engine", "fingerprint": "360eeda61bb08ac48f7fec09e7182bb88040f0f7acb3578852fcf4f68732d0d6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(D", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|360eeda61bb08ac48f7fec09e7182bb88040f0f7acb3578852fcf4f68732d0d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data-access-object/src/main/java/com/iluwatar/dao/App.java"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65379, "scanner": "repobility-threat-engine", "fingerprint": "9afb19da06ce022771764e4553fb57420b78b6ee4c4c82d5cb2e63b4d8b06468", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(D", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9afb19da06ce022771764e4553fb57420b78b6ee4c4c82d5cb2e63b4d8b06468"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dao-factory/src/main/java/com/iluwatar/daofactory/H2DataSourceFactory.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 65378, "scanner": "repobility-threat-engine", "fingerprint": "1c912d79abb56ed5fc6aae96af2d4e81df1f2908717e9a4f32544cdfb715fa20", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "LOGGER.info(\"Start handling request with token: <redacted>}\", token)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|2|logger.info start handling request with token: redacted token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "thread-specific-storage/src/main/java/com/iluwatar/threadspecificstorage/RequestHandler.java"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65368, "scanner": "repobility-threat-engine", "fingerprint": "c34138713fba3df91d8fadb3a7f20b8acc7dd9ae7181f969233c56134d87ba39", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "StandardServiceRegistryBuilder.destroy(registry);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c34138713fba3df91d8fadb3a7f20b8acc7dd9ae7181f969233c56134d87ba39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "command-query-responsibility-segregation/src/main/java/com/iluwatar/cqrs/util/HibernateUtil.java"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65367, "scanner": "repobility-threat-engine", "fingerprint": "3777eea244f3432813fb0f1abeda4f8ab9661bdb5fe9a21bfb814d485980ec14", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "session.save(author);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3777eea244f3432813fb0f1abeda4f8ab9661bdb5fe9a21bfb814d485980ec14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "command-query-responsibility-segregation/src/main/java/com/iluwatar/cqrs/commandes/CommandServiceImpl.java"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65366, "scanner": "repobility-threat-engine", "fingerprint": "ef24170af9ca80315950bb829d63b38ec319fb53e1983e4553739fb3148c93b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "appManager.save(userAccount1);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef24170af9ca80315950bb829d63b38ec319fb53e1983e4553739fb3148c93b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "caching/src/main/java/com/iluwatar/caching/App.java"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 65361, "scanner": "repobility-threat-engine", "fingerprint": "30bb60accc843898240245d8756a654b46e54955b09c3e5f92b76414d964dbc8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.put(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|30bb60accc843898240245d8756a654b46e54955b09c3e5f92b76414d964dbc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "active-object/src/main/java/com/iluwatar/activeobject/ActiveCreature.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 65401, "scanner": "repobility-docker", "fingerprint": "871aed478d03f1d9a5df9cf2703fd798af95a4307e0177dd78bdad1c9dab60ff", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mongodb_container", "variable": "MONGO_INITDB_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|871aed478d03f1d9a5df9cf2703fd798af95a4307e0177dd78bdad1c9dab60ff", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "caching/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC101", "level": "error", "message": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "properties": {"repobilityId": 65393, "scanner": "repobility-threat-engine", "fingerprint": "c30f9c79e456bb31313a95bacaa30bf1f0b4b9c93d98fd1294dd7184ff36a5e6", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new ObjectInputStream(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC101", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|96|sec101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tolerant-reader/src/main/java/com/iluwatar/tolerantreader/RainbowFishSerializer.java"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC101", "level": "error", "message": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "properties": {"repobilityId": 65392, "scanner": "repobility-threat-engine", "fingerprint": "f649b87c826313d790cce8fdedac574fc3211ba9a48f5c043fd097ea45fcacc9", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new ObjectInputStream(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC101", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|78|sec101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "serialized-lob/src/main/java/com/iluwatar/slob/serializers/BlobSerializer.java"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC101", "level": "error", "message": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "properties": {"repobilityId": 65391, "scanner": "repobility-threat-engine", "fingerprint": "13fe39b132c68f33592090d03a8432fa5dee7df8964b48f9deeb42bec1c25370", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new ObjectInputStream(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC101", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|111|sec101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "serialized-entity/src/main/java/com/iluwatar/serializedentity/CountrySchemaSql.java"}, "region": {"startLine": 111}}}]}]}]}