{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/153"}, "properties": {"repository": "https://github.com/NVIDIA/cuda-python.git", "repoUrl": "https://github.com/NVIDIA/cuda-python.git", "branch": "main"}, "results": [{"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 4541, "scanner": "repobility-threat-engine", "fingerprint": "2d83c5eb855eab7780606c43cf7cb78e67d3889e7ec308aca7fb5dd589cd0ee4", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|cuda_core/build_hooks.py|258|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cuda_core/build_hooks.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 4066, "scanner": "repobility-threat-engine", "fingerprint": "f8beeffec73b7ff30c81973b1464968a6eaffdfb4a8a5a11d4f65b92d224bcea", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|cuda_core/build_hooks.py|281|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cuda_core/build_hooks.py"}, "region": {"startLine": 281}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 3967, "scanner": "repobility-threat-engine", "fingerprint": "d0bef4759509fc3b502ec1d221251b6fc26664e12f643a3c42e3b3004d47de1d", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|cuda_core/build_hooks.py|279|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cuda_core/build_hooks.py"}, "region": {"startLine": 279}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3964, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17969ed5e0a5eb117eceb791d844e23942e0c776f7cfccd81cd3085b507a9e53", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cuda_core/cuda/core/__init__.py", "duplicate_line": 22, "correlation_key": "fp|17969ed5e0a5eb117eceb791d844e23942e0c776f7cfccd81cd3085b507a9e53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cuda_core/cuda/core/experimental/__init__.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3962, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b39f14b94341f2f381c0fd9cc40d19c35508793d4f42814143f4b0059d444be9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cuda_bindings/build_hooks.py", "duplicate_line": 20, "correlation_key": "fp|b39f14b94341f2f381c0fd9cc40d19c35508793d4f42814143f4b0059d444be9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cuda_core/build_hooks.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4540, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ccaa105b97ac1b48406724cf06111f0f00ae5bf7a83e3bcd6693ea1026e0ee59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cuda_bindings/build_hooks.py", "duplicate_line": 20, "correlation_key": "fp|ccaa105b97ac1b48406724cf06111f0f00ae5bf7a83e3bcd6693ea1026e0ee59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cuda_core/build_hooks.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3966, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f1e8cda1571a077793f8257c435627650a4ff47951ef681694b7a7e8b6dfffe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cuda_pathfinder/cuda/pathfinder/_dynamic_libs/descriptor_catalog.py", "duplicate_line": 1, "correlation_key": "fp|0f1e8cda1571a077793f8257c435627650a4ff47951ef681694b7a7e8b6dfffe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "toolshed/_catalog_writer.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3965, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a452b75fe3c8d996d2be5fe28d91206e06e0906add15dab8c59858c6a19c90d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cuda_pathfinder/cuda/pathfinder/_static_libs/find_bitcode_lib.py", "duplicate_line": 66, "correlation_key": "fp|3a452b75fe3c8d996d2be5fe28d91206e06e0906add15dab8c59858c6a19c90d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cuda_pathfinder/cuda/pathfinder/_static_libs/find_static_lib.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3963, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f9ce3b2d8edc44f696ecf1aeb64526ecde8434e43c13eeead389844937cd326", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cuda_core/cuda/core/_utils/driver_cu_result_explanations_frozen.py", "duplicate_line": 79, "correlation_key": "fp|4f9ce3b2d8edc44f696ecf1aeb64526ecde8434e43c13eeead389844937cd326"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cuda_core/cuda/core/_utils/runtime_cuda_error_explanations_frozen.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27763, "scanner": "repobility-threat-engine", "fingerprint": "3e0e585409aee3f9f204808f898c20b172700b5caee0be8fc7f54cb575945b41", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3e0e585409aee3f9f204808f898c20b172700b5caee0be8fc7f54cb575945b41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/tools/fetch_ctk_redistrib.py"}, "region": {"startLine": 72}}}]}]}]}