{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CORE_LARGE_FILES", "name": "Average file size is 683 lines (recommend <300)", "shortDescription": {"text": "Average file size is 683 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `go.opentelemetry.io/otel` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel => ../", "shortDescription": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel => ../../../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are f"}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.", "shortDescription": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1129"}, "properties": {"repository": "open-telemetry/opentelemetry-go", "repoUrl": "https://github.com/open-telemetry/opentelemetry-go", "branch": "main"}, "results": [{"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 683 lines (recommend <300)"}, "properties": {"repobilityId": 111591, "scanner": "repobility-core", "fingerprint": "796f0ecdf492f2d51f807cd108126cffd85481ad103bc871f034d95fea839c0a", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|796f0ecdf492f2d51f807cd108126cffd85481ad103bc871f034d95fea839c0a"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111639, "scanner": "repobility-ai-code-hygiene", "fingerprint": "946f405ef478009b177f96046133710912bb7b25eecb23c8baef2f134612efec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/partialsuccess.go", "duplicate_line": 5, "correlation_key": "fp|946f405ef478009b177f96046133710912bb7b25eecb23c8baef2f134612efec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/partialsuccess.go"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111638, "scanner": "repobility-ai-code-hygiene", "fingerprint": "509581ec519facf80875896b22137b4291d0e12fca6eff02bf675627e8c6afd4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/partialsuccess.go", "duplicate_line": 2, "correlation_key": "fp|509581ec519facf80875896b22137b4291d0e12fca6eff02bf675627e8c6afd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/partialsuccess.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111637, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0186b9f80a0892a2bd99c44e4978f06f94256cd1c167d12915a527684620ca4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/otest/collector.go", "duplicate_line": 2, "correlation_key": "fp|c0186b9f80a0892a2bd99c44e4978f06f94256cd1c167d12915a527684620ca4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/otest/collector.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111636, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78788e2095d9140a8d0aec6eabff4c4aee1b53382e72291a5349acd2bac55da5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/otest/client.go", "duplicate_line": 11, "correlation_key": "fp|78788e2095d9140a8d0aec6eabff4c4aee1b53382e72291a5349acd2bac55da5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/otest/client.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111635, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91ef6dd7e8a83d14f05d1e10bc5fd303985b1de7a379f569f201f09a2179e36d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/tls.go", "duplicate_line": 2, "correlation_key": "fp|91ef6dd7e8a83d14f05d1e10bc5fd303985b1de7a379f569f201f09a2179e36d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/oconf/tls.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111634, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9066de7ff900de56276935eaa89d1b25b70de22b8cf13ba62d0b4d59bbc60ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/optiontypes.go", "duplicate_line": 2, "correlation_key": "fp|d9066de7ff900de56276935eaa89d1b25b70de22b8cf13ba62d0b4d59bbc60ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/oconf/optiontypes.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111633, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1b8c32113b3913aad93c93a1aef2c1491e3096c5e9a20237070c94a719af534", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/options.go", "duplicate_line": 2, "correlation_key": "fp|a1b8c32113b3913aad93c93a1aef2c1491e3096c5e9a20237070c94a719af534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/oconf/options.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111632, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90b6ca0f43390878bce8ce5158195848dd5d34dbbef883fb7d6c716c0d703c89", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/oconf/envconfig.go", "duplicate_line": 11, "correlation_key": "fp|90b6ca0f43390878bce8ce5158195848dd5d34dbbef883fb7d6c716c0d703c89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/oconf/envconfig.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111631, "scanner": "repobility-ai-code-hygiene", "fingerprint": "04f1f4313e1e069223de2d912abb006b4d308df5b14de5e909f17ba12ed926d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/observ/instrumentation.go", "duplicate_line": 221, "correlation_key": "fp|04f1f4313e1e069223de2d912abb006b4d308df5b14de5e909f17ba12ed926d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/observ/instrumentation.go"}, "region": {"startLine": 232}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111630, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f4bf32d57d2b01f5e5a6e4e47bd6b8b328e8900cd8bcc86d4af8dd1371c9585", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/observ/target.go", "duplicate_line": 37, "correlation_key": "fp|0f4bf32d57d2b01f5e5a6e4e47bd6b8b328e8900cd8bcc86d4af8dd1371c9585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/observ/instrumentation.go"}, "region": {"startLine": 143}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111629, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60e2c743ce47e699e9ce07ceb8b25a40efae3c32176025882c5c6d3a8794f372", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/observ/instrumentation.go", "duplicate_line": 37, "correlation_key": "fp|60e2c743ce47e699e9ce07ceb8b25a40efae3c32176025882c5c6d3a8794f372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/observ/instrumentation.go"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111628, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a223fdc3f2011bf6d1c21ac2d72bd56e754cf0de8f699cff782b0a51a13263a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/observ/instrumentation.go", "duplicate_line": 186, "correlation_key": "fp|0a223fdc3f2011bf6d1c21ac2d72bd56e754cf0de8f699cff782b0a51a13263a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/observ/count.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111627, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a80b9cb6e106e6c5ce2a4ab31a9d9cb746ea8849131aa033185a7329b160b2de", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/config.go", "duplicate_line": 399, "correlation_key": "fp|a80b9cb6e106e6c5ce2a4ab31a9d9cb746ea8849131aa033185a7329b160b2de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/envconfig/envconfig.go"}, "region": {"startLine": 154}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111626, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c493ed5146d1b4f2ddd6c6643e5f85f9d4f7eb7980bf4be41f85d787dcd4b12", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/envconfig/envconfig.go", "duplicate_line": 2, "correlation_key": "fp|7c493ed5146d1b4f2ddd6c6643e5f85f9d4f7eb7980bf4be41f85d787dcd4b12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/envconfig/envconfig.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111625, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4495b2c371565b51721e0ecb198c4cf73760976fc7a4caf0b160b94d69389e1b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/exporter.go", "duplicate_line": 13, "correlation_key": "fp|4495b2c371565b51721e0ecb198c4cf73760976fc7a4caf0b160b94d69389e1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/exporter.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111624, "scanner": "repobility-ai-code-hygiene", "fingerprint": "042214166b03b0b1dde319cc072dac0c4feed60c2eebb8b98905dab16cff6379", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlpmetric/otlpmetricgrpc/doc.go", "duplicate_line": 48, "correlation_key": "fp|042214166b03b0b1dde319cc072dac0c4feed60c2eebb8b98905dab16cff6379"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/doc.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111623, "scanner": "repobility-ai-code-hygiene", "fingerprint": "425f927f8dfa4e9b60577041ab3605bc63ce3878c58d19858b6dcb4293c42f47", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploghttp/client.go", "duplicate_line": 2, "correlation_key": "fp|425f927f8dfa4e9b60577041ab3605bc63ce3878c58d19858b6dcb4293c42f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/client.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111622, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6199a70025496ff1a6ff53a46f594210307d729f53ccba318065b0c12ee58570", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/x/x.go", "duplicate_line": 2, "correlation_key": "fp|6199a70025496ff1a6ff53a46f594210307d729f53ccba318065b0c12ee58570"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/x/x.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111621, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae2ade6a70d064abe0b2124940fd75e5bd52b4a8fd94d1eebfdb60194b7e480a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/transform/log.go", "duplicate_line": 123, "correlation_key": "fp|ae2ade6a70d064abe0b2124940fd75e5bd52b4a8fd94d1eebfdb60194b7e480a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/transform/attribute.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111620, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c01932f81bef922433e3d2d291180d8687258626c1c3928e19bbaef0619fde0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/retry/retry.go", "duplicate_line": 2, "correlation_key": "fp|c01932f81bef922433e3d2d291180d8687258626c1c3928e19bbaef0619fde0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/retry/retry.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111619, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e73c1b76fd0823935f09487976d3c665374fbf3e721c20632ebc456d28bfaecd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/partialsuccess.go", "duplicate_line": 2, "correlation_key": "fp|e73c1b76fd0823935f09487976d3c665374fbf3e721c20632ebc456d28bfaecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/partialsuccess.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111618, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba294a6d6e2b516cf3dd753d24fef40201a53b3cca64a5aaa1542812a5dc360c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/observ/target.go", "duplicate_line": 2, "correlation_key": "fp|ba294a6d6e2b516cf3dd753d24fef40201a53b3cca64a5aaa1542812a5dc360c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/observ/target.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111617, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3484f60210d06f76c2797e3d8488300aa4db4dbb72ed74bd4a03afaa3b3512a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/config.go", "duplicate_line": 399, "correlation_key": "fp|3484f60210d06f76c2797e3d8488300aa4db4dbb72ed74bd4a03afaa3b3512a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/envconfig/envconfig.go"}, "region": {"startLine": 154}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111616, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca31f0d2ee77aaa6db25c02b24e28543939b78cf8e1b1463d16c042c79b22aed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/client.go", "duplicate_line": 173, "correlation_key": "fp|ca31f0d2ee77aaa6db25c02b24e28543939b78cf8e1b1463d16c042c79b22aed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetricgrpc/client.go"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111615, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5f4695cfd3c3d8013c8cb2692ec4fc9cc665e87259cd4282bf44862a69ce218", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/x/x.go", "duplicate_line": 2, "correlation_key": "fp|c5f4695cfd3c3d8013c8cb2692ec4fc9cc665e87259cd4282bf44862a69ce218"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlplog/otlploghttp/internal/x/x.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111614, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be435514ab64ec9a7210dab30c7263fa1853ac4af351a40e129b4b1894957181", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/transform/log.go", "duplicate_line": 2, "correlation_key": "fp|be435514ab64ec9a7210dab30c7263fa1853ac4af351a40e129b4b1894957181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlplog/otlploghttp/internal/transform/log.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111613, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1f59386db98403148b447e08e7019e4fe86723acd438dd0250561d251cb56ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/retry/retry.go", "duplicate_line": 2, "correlation_key": "fp|e1f59386db98403148b447e08e7019e4fe86723acd438dd0250561d251cb56ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlplog/otlploghttp/internal/retry/retry.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111612, "scanner": "repobility-ai-code-hygiene", "fingerprint": "676c14361ca058cecf6ef7b65545bc31a97cdffb120161570f5072b56e7dfd9d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/partialsuccess.go", "duplicate_line": 2, "correlation_key": "fp|676c14361ca058cecf6ef7b65545bc31a97cdffb120161570f5072b56e7dfd9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlplog/otlploghttp/internal/partialsuccess.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111611, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b636e0ec711e2e6834ec064bf71f059d4007d38688c8b225cd2a0fae4ff2b9f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/internal/observ/target.go", "duplicate_line": 39, "correlation_key": "fp|b636e0ec711e2e6834ec064bf71f059d4007d38688c8b225cd2a0fae4ff2b9f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlplog/otlploghttp/internal/observ/instrumentation.go"}, "region": {"startLine": 229}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111610, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78ae4074a2eb30929fcb0234b240505a444ae5613722f6635c51562268a343d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters/otlp/otlplog/otlploggrpc/config.go", "duplicate_line": 34, "correlation_key": "fp|78ae4074a2eb30929fcb0234b240505a444ae5613722f6635c51562268a343d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlplog/otlploghttp/config.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 111609, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": [".github/copilot-instructions.md", "AGENTS.md", "CLAUDE.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/copilot-instructions.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 111594, "scanner": "repobility-threat-engine", "fingerprint": "50a4cde4c8e92303d5d49c9fb05530affa0b699f8d555441f77882d41c2a3e45", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = tsOtel.Insert(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|50a4cde4c8e92303d5d49c9fb05530affa0b699f8d555441f77882d41c2a3e45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bridge/opencensus/internal/oc2otel/span_context.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 111593, "scanner": "repobility-threat-engine", "fingerprint": "bddc4cf936ad3494fe19494e6ceda1d9348df5ea24af99a48b492d48a867c707", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = reflect.Copy(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bddc4cf936ad3494fe19494e6ceda1d9348df5ea24af99a48b492d48a867c707"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "attribute/internal/attribute.go"}, "region": {"startLine": 72}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 111592, "scanner": "repobility-threat-engine", "fingerprint": "f2326efed6f73620f45d5ccf670ff94d4783493f33a33a030a99a2b4d54061ea", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = buf.WriteByte(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2326efed6f73620f45d5ccf670ff94d4783493f33a33a030a99a2b4d54061ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "attribute/encoder.go"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 111607, "scanner": "repobility-threat-engine", "fingerprint": "f423aab12d90630d966c78475044f13aeefec01841f4616f9850b062f555b4eb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f423aab12d90630d966c78475044f13aeefec01841f4616f9850b062f555b4eb", "aggregated_count": 9}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 111606, "scanner": "repobility-threat-engine", "fingerprint": "45936759a5f3bc1bd2977a0f61d8874eb46cf5b77ffab444b465db73551f494a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|45936759a5f3bc1bd2977a0f61d8874eb46cf5b77ffab444b465db73551f494a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/internal/otest/client.go"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 111605, "scanner": "repobility-threat-engine", "fingerprint": "6b05abd9df8a00f9f41614c98ce42079d2261934b20be8217880c7bf9a3e1992", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b05abd9df8a00f9f41614c98ce42079d2261934b20be8217880c7bf9a3e1992"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetrichttp/client.go"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 111604, "scanner": "repobility-threat-engine", "fingerprint": "6121567679af47899e67e809ac4bc09e014182716f856e1ed3a92ad131eb71f2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6121567679af47899e67e809ac4bc09e014182716f856e1ed3a92ad131eb71f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetricgrpc/internal/otest/client.go"}, "region": {"startLine": 204}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 111603, "scanner": "repobility-threat-engine", "fingerprint": "897bdc4844bb4d2e59bb80b170f8d41fb45308fee7e3817a73d32aa296b7c4bd", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|897bdc4844bb4d2e59bb80b170f8d41fb45308fee7e3817a73d32aa296b7c4bd"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 111599, "scanner": "repobility-threat-engine", "fingerprint": "537939c16c37080b51999e17b8ad02e42658df05cf9b994440b6e17bf2ff30ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|537939c16c37080b51999e17b8ad02e42658df05cf9b994440b6e17bf2ff30ca", "aggregated_count": 3}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 111598, "scanner": "repobility-threat-engine", "fingerprint": "6ac22643ae5ec5565a72e9a8c4f3f53fcfb153d3a07889c0319dca3f74a60921", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ac22643ae5ec5565a72e9a8c4f3f53fcfb153d3a07889c0319dca3f74a60921"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/metric/exemplar/histogram_reservoir.go"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 111597, "scanner": "repobility-threat-engine", "fingerprint": "e18a653050cdc84e27d16c29b065794b24b6ce0cef1ea9b3718bee84a3fb7db7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e18a653050cdc84e27d16c29b065794b24b6ce0cef1ea9b3718bee84a3fb7db7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "attribute/internal/xxhash/xxhash.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 111596, "scanner": "repobility-threat-engine", "fingerprint": "2a590f9bff73dcd809d59563bb5a2501b0fae4c701ea517abf5ffe8de5ed9d6f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a590f9bff73dcd809d59563bb5a2501b0fae4c701ea517abf5ffe8de5ed9d6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "attribute/hash.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 111595, "scanner": "repobility-threat-engine", "fingerprint": "422906d687c51dd527ea90571b59cc39f23789ede1533fde067b80c32b027f0a", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|422906d687c51dd527ea90571b59cc39f23789ede1533fde067b80c32b027f0a"}}}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel => ../../../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111664, "scanner": "repobility-supply-chain", "fingerprint": "9b2fc570eab401315523113c4a2fe67dcfe4ce741f4ad5be3b451477b802b249", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b2fc570eab401315523113c4a2fe67dcfe4ce741f4ad5be3b451477b802b249"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlptrace/otlptracegrpc/go.mod"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/metric/x` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/metric/x => ../../../../metric/x` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111663, "scanner": "repobility-supply-chain", "fingerprint": "934fdd13dc74c1e7f3903856c6074a796347e7d9f06f59dc3453b42fa346025d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|934fdd13dc74c1e7f3903856c6074a796347e7d9f06f59dc3453b42fa346025d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlptrace/otlptracehttp/go.mod"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/metric` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/metric => ../../../../metric` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111662, "scanner": "repobility-supply-chain", "fingerprint": "cacc04ecc9c0d6f470a345d9571643d9b70d6f1f4218ae25d4a861c461e00b29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cacc04ecc9c0d6f470a345d9571643d9b70d6f1f4218ae25d4a861c461e00b29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlptrace/otlptracehttp/go.mod"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/sdk` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/sdk => ../../../../sdk` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111661, "scanner": "repobility-supply-chain", "fingerprint": "5dafcff8add699fcd506e8ef8753888104d0a39a0c8253f59bafefff9915558f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5dafcff8add699fcd506e8ef8753888104d0a39a0c8253f59bafefff9915558f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlptrace/otlptracehttp/go.mod"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/exporters/otlp/otlptrace` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/exporters/otlp/otlptrace => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111660, "scanner": "repobility-supply-chain", "fingerprint": "fc6cbbf20e6904a8777ee8ba2c1a30f27b261482356e48ccb10967f8db6e8e51", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc6cbbf20e6904a8777ee8ba2c1a30f27b261482356e48ccb10967f8db6e8e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlptrace/otlptracehttp/go.mod"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/sdk/metric` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/sdk/metric => ../../../sdk/metric` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111659, "scanner": "repobility-supply-chain", "fingerprint": "236b37632af94e420d59a855ebbd1d581d3e0f5a964f0a31a20b3b5b31ca14d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|236b37632af94e420d59a855ebbd1d581d3e0f5a964f0a31a20b3b5b31ca14d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlptrace/go.mod"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/trace` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/trace => ../../../trace` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111658, "scanner": "repobility-supply-chain", "fingerprint": "206502e2b028c5f3eba6ac2f7a90376fe4feb36be3cf4d30088599e84b8fee95", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|206502e2b028c5f3eba6ac2f7a90376fe4feb36be3cf4d30088599e84b8fee95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlptrace/go.mod"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel => ../../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111657, "scanner": "repobility-supply-chain", "fingerprint": "35444171e341138df023e93b1f2b6e75e719a43b7709738756078740f265b8d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35444171e341138df023e93b1f2b6e75e719a43b7709738756078740f265b8d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlptrace/go.mod"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/sdk/metric` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/sdk/metric => ../../sdk/metric` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111656, "scanner": "repobility-supply-chain", "fingerprint": "8df55ede67c0c4cf23b5f169c6f16c03ccf87a08856c5090d1132720bf2517b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8df55ede67c0c4cf23b5f169c6f16c03ccf87a08856c5090d1132720bf2517b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/zipkin/go.mod"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/sdk` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/sdk => ../../sdk` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111655, "scanner": "repobility-supply-chain", "fingerprint": "47d7816d4590e757f49e5efa8c3cfc23dacdd4ab3edf26e0c02598ce0a56194c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47d7816d4590e757f49e5efa8c3cfc23dacdd4ab3edf26e0c02598ce0a56194c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/zipkin/go.mod"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/trace` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/trace => ../../trace` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111654, "scanner": "repobility-supply-chain", "fingerprint": "88a274135e4674da2b54e93b3e2b56f50137c28e2e0c0278aa55710b3a3129d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88a274135e4674da2b54e93b3e2b56f50137c28e2e0c0278aa55710b3a3129d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/zipkin/go.mod"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/metric` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/metric => ../../metric` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111653, "scanner": "repobility-supply-chain", "fingerprint": "e1b4eab37a4c5e107f3b269cf6fc9abcebfe6daf5d8fffb68a91838dfb240c56", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1b4eab37a4c5e107f3b269cf6fc9abcebfe6daf5d8fffb68a91838dfb240c56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/prometheus/go.mod"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/sdk/metric` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/sdk/metric => ../../sdk/metric` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111652, "scanner": "repobility-supply-chain", "fingerprint": "966c16d08cf103a7fa667db156c5eaa3e36332d1fba6c0ef416e671b4ede794f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|966c16d08cf103a7fa667db156c5eaa3e36332d1fba6c0ef416e671b4ede794f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/prometheus/go.mod"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111651, "scanner": "repobility-supply-chain", "fingerprint": "5d2807f4d3751c47b829540b9d3705b242c8be8af26fd78a49cf2572db0aaf2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d2807f4d3751c47b829540b9d3705b242c8be8af26fd78a49cf2572db0aaf2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/prometheus/go.mod"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/metric` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/metric => ../../../../metric` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111650, "scanner": "repobility-supply-chain", "fingerprint": "d7c1fd12739c5854c1b33042b4db625499a23d594392325543237d9e31b0a4e3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7c1fd12739c5854c1b33042b4db625499a23d594392325543237d9e31b0a4e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "trace/internal/telemetry/test/go.mod"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/trace` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/trace => ../../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111649, "scanner": "repobility-supply-chain", "fingerprint": "4709e311f369537b1ce860e6d21d3bf85dbdbb7e887a390b72102f77e2c40989", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4709e311f369537b1ce860e6d21d3bf85dbdbb7e887a390b72102f77e2c40989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "trace/internal/telemetry/test/go.mod"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/metric` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/metric => ../metric` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111648, "scanner": "repobility-supply-chain", "fingerprint": "10bb9d7a306adabd70fb8372127b00401e4f66494275d84e534a39eb96a13ee4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10bb9d7a306adabd70fb8372127b00401e4f66494275d84e534a39eb96a13ee4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "trace/go.mod"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111647, "scanner": "repobility-supply-chain", "fingerprint": "4bd196990c62d0e3739272b325e320e8827ab2208ce14f5921c7713e0ce738e1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4bd196990c62d0e3739272b325e320e8827ab2208ce14f5921c7713e0ce738e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "trace/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111646, "scanner": "repobility-supply-chain", "fingerprint": "35473dea9ab3a3514f7b15b100c8940ea3050026c04dee9a85b605175ff29412", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35473dea9ab3a3514f7b15b100c8940ea3050026c04dee9a85b605175ff29412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "metric/go.mod"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/trace` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/trace => ../trace` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111645, "scanner": "repobility-supply-chain", "fingerprint": "dd25f7543f9b2418a086c8571a2709ab1b42a88d343fb6b4ebdb66031359b9b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd25f7543f9b2418a086c8571a2709ab1b42a88d343fb6b4ebdb66031359b9b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "log/go.mod"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/metric` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/metric => ../metric` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111644, "scanner": "repobility-supply-chain", "fingerprint": "11d6369fe5a98f471cc7515d49e0cad0df58909ac9e1fb19cb230b348f8ab16f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11d6369fe5a98f471cc7515d49e0cad0df58909ac9e1fb19cb230b348f8ab16f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "log/go.mod"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/sdk/metric` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/sdk/metric => ./metric` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111643, "scanner": "repobility-supply-chain", "fingerprint": "ace4f255448138008c02f06de93b6d0df6c6734afdf0e37142791d651054fceb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ace4f255448138008c02f06de93b6d0df6c6734afdf0e37142791d651054fceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/go.mod"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/trace` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/trace => ../trace` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111642, "scanner": "repobility-supply-chain", "fingerprint": "7ba64e8ebce72f339d04f5f1e325f58ac2a6ee4c934ea1b074abc40ace15d957", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ba64e8ebce72f339d04f5f1e325f58ac2a6ee4c934ea1b074abc40ace15d957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/go.mod"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111641, "scanner": "repobility-supply-chain", "fingerprint": "37dc8cd111adb47267f2a1c72f78b6a007e704f0c580365a861ac6b67b9827b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37dc8cd111adb47267f2a1c72f78b6a007e704f0c580365a861ac6b67b9827b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `go.opentelemetry.io/otel/trace` \u2014 points to a LOCAL path: `replace go.opentelemetry.io/otel/trace => ./trace` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 111640, "scanner": "repobility-supply-chain", "fingerprint": "23617a023e3ce8d05b117bd3fbcb05f9e372a1f6d8a37f784297269e50000d43", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23617a023e3ce8d05b117bd3fbcb05f9e372a1f6d8a37f784297269e50000d43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 111608, "scanner": "repobility-threat-engine", "fingerprint": "26e2b431c38fec04d8cd8af8b4208a8ed01cc735df94ebb2adc293b886e56825", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|26e2b431c38fec04d8cd8af8b4208a8ed01cc735df94ebb2adc293b886e56825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/tools/verifyreadmes/main.go"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111602, "scanner": "repobility-threat-engine", "fingerprint": "e914d72d12135cc4835fc7086626d3537e55cd210cf115a39c2c7e837a9c2185", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e914d72d12135cc4835fc7086626d3537e55cd210cf115a39c2c7e837a9c2185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlpmetric/otlpmetricgrpc/config.go"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111601, "scanner": "repobility-threat-engine", "fingerprint": "26fcea54b16b65b269485bb321a7d8b34377242a29f74f898522db0a040da26c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|26fcea54b16b65b269485bb321a7d8b34377242a29f74f898522db0a040da26c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlplog/otlploghttp/internal/observ/instrumentation.go"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111600, "scanner": "repobility-threat-engine", "fingerprint": "dff46ed900d8b58c1f86b3b483c3c9ab4ff2c4902b824c405a98f9ec54aa80e5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dff46ed900d8b58c1f86b3b483c3c9ab4ff2c4902b824c405a98f9ec54aa80e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters/otlp/otlplog/otlploggrpc/internal/observ/instrumentation.go"}, "region": {"startLine": 120}}}]}]}]}