{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 624 lines (recommend <300)", "shortDescription": {"text": "Average file size is 624 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `nginx/ci-self-hosted/.github/workflows/nginx-buildbot.yml` pinned to mutable ref `@main`", "shortDescription": {"text": "Action `nginx/ci-self-hosted/.github/workflows/nginx-buildbot.yml` pinned to mutable ref `@main`"}, "fullDescription": {"text": "`uses: nginx/ci-self-hosted/.github/workflows/nginx-buildbot.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/555"}, "properties": {"repository": "nginx/nginx", "repoUrl": "https://github.com/nginx/nginx", "branch": "master"}, "results": [{"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 36149, "scanner": "repobility-threat-engine", "fingerprint": "c0963ee0d65a6618a7444e10cf834583eeb72b700f34c9d2c31fd3d6581f4cac", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "compile(ngx_conf_t *cf,\n    ngx_regex_compile_t *rc);\nngx_int_t ngx_stream_regex_exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|84|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/stream/ngx_stream_variables.h"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 36148, "scanner": "repobility-threat-engine", "fingerprint": "8995deacc30755031cbc8f929adb0c2ebec4ca680b3fd09571a1d4c1870b44cb", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "compile(ngx_conf_t *cf,\n    ngx_regex_compile_t *rc);\nngx_int_t ngx_http_regex_exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|88|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/ngx_http_variables.h"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 36147, "scanner": "repobility-threat-engine", "fingerprint": "90c690471bfbdd09f942b76fb89cc09d3e95c8ce196b5fb4aecd35ff326f77df", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "compile(ngx_regex_compile_t *rc);\n\nngx_int_t ngx_regex_exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/core/ngx_regex.h|64|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/core/ngx_regex.h"}, "region": {"startLine": 64}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 624 lines (recommend <300)"}, "properties": {"repobilityId": 36106, "scanner": "repobility-core", "fingerprint": "b0a1df7d55445ed2cada288803e877897a8e21ed26e07ddf1fe45b1e77154a1e", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|b0a1df7d55445ed2cada288803e877897a8e21ed26e07ddf1fe45b1e77154a1e"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36136, "scanner": "repobility-ai-code-hygiene", "fingerprint": "37e721fca4ce583ce814963bfc6c77d3f080802fd553809786f8b95343ac0fc1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_memcached_module.c", "duplicate_line": 474, "correlation_key": "fp|37e721fca4ce583ce814963bfc6c77d3f080802fd553809786f8b95343ac0fc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_tunnel_module.c"}, "region": {"startLine": 270}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36135, "scanner": "repobility-ai-code-hygiene", "fingerprint": "209467e24ffa2a60562e1107a57abde6bbf94a3c2406e6799ace25854d2b7da3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_index_module.c", "duplicate_line": 127, "correlation_key": "fp|209467e24ffa2a60562e1107a57abde6bbf94a3c2406e6799ace25854d2b7da3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_try_files_module.c"}, "region": {"startLine": 141}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36134, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9805a8d4b65ec074d2f1b30db77b3daa7569fdf02d2290cc28884684f35f491b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_addition_filter_module.c", "duplicate_line": 49, "correlation_key": "fp|9805a8d4b65ec074d2f1b30db77b3daa7569fdf02d2290cc28884684f35f491b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_sub_filter_module.c"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36133, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f20a4d927b5f2fa2100eb6f61ee323b731668d610e1e43e740f9e4e9bfa04660", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_gzip_static_module.c", "duplicate_line": 140, "correlation_key": "fp|f20a4d927b5f2fa2100eb6f61ee323b731668d610e1e43e740f9e4e9bfa04660"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_static_module.c"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36132, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fefc0c5e829ff719c703a1909eceb36ab95629ef00eaea96a4fe0aae5392c0ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_flv_module.c", "duplicate_line": 68, "correlation_key": "fp|fefc0c5e829ff719c703a1909eceb36ab95629ef00eaea96a4fe0aae5392c0ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_static_module.c"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36131, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9bb6751272b1d5e00b107a497563921948de213c315009ee4e32d1e0b122ec63", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_map_module.c", "duplicate_line": 149, "correlation_key": "fp|9bb6751272b1d5e00b107a497563921948de213c315009ee4e32d1e0b122ec63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_split_clients_module.c"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36130, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b56bfd6b5bac8b89c8259a9e89c40ce3f5b5539b5cccb6dc2265e2371f27f215", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_addition_filter_module.c", "duplicate_line": 49, "correlation_key": "fp|b56bfd6b5bac8b89c8259a9e89c40ce3f5b5539b5cccb6dc2265e2371f27f215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_range_filter_module.c"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36129, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30117715f399725cc8a36ec593f48cda01ea54170b5981a9862647a7666a2779", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_chunked_filter_module.c", "duplicate_line": 21, "correlation_key": "fp|30117715f399725cc8a36ec593f48cda01ea54170b5981a9862647a7666a2779"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_range_filter_module.c"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36128, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f4ccebb7a1e9cb32d3d28c2bec9b9dcca7bfd75b8baa066611700b28a8586cc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_autoindex_module.c", "duplicate_line": 150, "correlation_key": "fp|5f4ccebb7a1e9cb32d3d28c2bec9b9dcca7bfd75b8baa066611700b28a8586cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_random_index_module.c"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36127, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a3711628e142b5aeaf00d0119a80e3245421bebc9947e8769e39d985627cbad2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_chunked_filter_module.c", "duplicate_line": 21, "correlation_key": "fp|a3711628e142b5aeaf00d0119a80e3245421bebc9947e8769e39d985627cbad2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_not_modified_filter_module.c"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36126, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4849c8c29446c5c9dc4bfdb4f63cfc1f448c1769a2465cd3e21ac66936708fa2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_limit_conn_module.c", "duplicate_line": 315, "correlation_key": "fp|4849c8c29446c5c9dc4bfdb4f63cfc1f448c1769a2465cd3e21ac66936708fa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_limit_req_module.c"}, "region": {"startLine": 483}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36125, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac6ba663c2b80846b337b69ee97f4e302b065a6572138132ce111feed312d08d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/ngx_event_openssl_cache.c", "duplicate_line": 825, "correlation_key": "fp|ac6ba663c2b80846b337b69ee97f4e302b065a6572138132ce111feed312d08d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_limit_req_module.c"}, "region": {"startLine": 268}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36124, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69cb7da16b6750b21579e7c223062b1833548261cbc844da0763fcd4a43f27a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/core/ngx_open_file_cache.c", "duplicate_line": 738, "correlation_key": "fp|69cb7da16b6750b21579e7c223062b1833548261cbc844da0763fcd4a43f27a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_limit_req_module.c"}, "region": {"startLine": 267}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36123, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5deb4393647059ddd20b2c4b62e9fcf8200a41b8ba66ed4d372e503fe142042b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/core/ngx_open_file_cache.c", "duplicate_line": 738, "correlation_key": "fp|5deb4393647059ddd20b2c4b62e9fcf8200a41b8ba66ed4d372e503fe142042b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_limit_conn_module.c"}, "region": {"startLine": 231}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36122, "scanner": "repobility-ai-code-hygiene", "fingerprint": "abe7836b57592d09de2dc1b07c821ed446b2ec3410d7412268233665ee1c1d8d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_addition_filter_module.c", "duplicate_line": 49, "correlation_key": "fp|abe7836b57592d09de2dc1b07c821ed446b2ec3410d7412268233665ee1c1d8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_headers_filter_module.c"}, "region": {"startLine": 127}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36121, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0f1c65f329f0b6a539f4b851843d208e7b4155dbd6bc0554f7021dad2d93e68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_flv_module.c", "duplicate_line": 69, "correlation_key": "fp|c0f1c65f329f0b6a539f4b851843d208e7b4155dbd6bc0554f7021dad2d93e68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_gzip_static_module.c"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36120, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f3779b173581ec53d42eee129ec30b8ba16c0a59693377b90fe028a476d717e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_gunzip_filter_module.c", "duplicate_line": 316, "correlation_key": "fp|9f3779b173581ec53d42eee129ec30b8ba16c0a59693377b90fe028a476d717e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_gzip_filter_module.c"}, "region": {"startLine": 528}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36119, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d147cab9374b91926f748f0a1779e012b0203c92318019552e442e6bc79a20e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_addition_filter_module.c", "duplicate_line": 49, "correlation_key": "fp|0d147cab9374b91926f748f0a1779e012b0203c92318019552e442e6bc79a20e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_gunzip_filter_module.c"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36118, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9fc19468fb434ab9add4820813aebf5683c047b4962ae019450c3ec5ef3bbd9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/http/modules/ngx_http_addition_filter_module.c", "duplicate_line": 49, "correlation_key": "fp|f9fc19468fb434ab9add4820813aebf5683c047b4962ae019450c3ec5ef3bbd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_chunked_filter_module.c"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36117, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e2d8366e9f4849e7565af0a7cb36318e67e22f668d999d8805e1cac88698954", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/ngx_event_accept.c", "duplicate_line": 18, "correlation_key": "fp|7e2d8366e9f4849e7565af0a7cb36318e67e22f668d999d8805e1cac88698954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/quic/ngx_event_quic_udp.c"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36116, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f87bbabf2cbb10b7a9106b8acfff5cbd5a6626cd5dab2d1d343e38ed6bee96c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/ngx_event_udp.c", "duplicate_line": 12, "correlation_key": "fp|3f87bbabf2cbb10b7a9106b8acfff5cbd5a6626cd5dab2d1d343e38ed6bee96c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/quic/ngx_event_quic_udp.c"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36115, "scanner": "repobility-ai-code-hygiene", "fingerprint": "372b6fc3c89988d1dc746d1545df0e8803a3a66d09fc065c0a546cf20c87042f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/ngx_event_openssl_cache.c", "duplicate_line": 825, "correlation_key": "fp|372b6fc3c89988d1dc746d1545df0e8803a3a66d09fc065c0a546cf20c87042f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/ngx_event_udp.c"}, "region": {"startLine": 271}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36114, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f553b9536169d9f607ec08dfedcff8a61a7f2c1759ebd77855f6c26eeb6c961c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/ngx_event_accept.c", "duplicate_line": 18, "correlation_key": "fp|f553b9536169d9f607ec08dfedcff8a61a7f2c1759ebd77855f6c26eeb6c961c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/ngx_event_udp.c"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36113, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d0aa7af1856da5535ec38656951df7908b006e6cfd457e5c762aebc8b4a69ae5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/ngx_event_accept.c", "duplicate_line": 317, "correlation_key": "fp|d0aa7af1856da5535ec38656951df7908b006e6cfd457e5c762aebc8b4a69ae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/ngx_event_acceptex.c"}, "region": {"startLine": 141}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36112, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb45aa80cd0f14fdb3270d86aa9b0eb4190358ad57399c289c3d50267a8c2224", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/modules/ngx_poll_module.c", "duplicate_line": 33, "correlation_key": "fp|eb45aa80cd0f14fdb3270d86aa9b0eb4190358ad57399c289c3d50267a8c2224"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/modules/ngx_win32_select_module.c"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36111, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f500ff4bd64b1d5cb0d8619e40be0dac906f74a0b93ab468ddef5285842006c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/modules/ngx_select_module.c", "duplicate_line": 1, "correlation_key": "fp|f500ff4bd64b1d5cb0d8619e40be0dac906f74a0b93ab468ddef5285842006c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/modules/ngx_win32_select_module.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36110, "scanner": "repobility-ai-code-hygiene", "fingerprint": "28e97062a01e7a272c408006948083827a7e73eb448d8a4ff16f1529052155a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/modules/ngx_poll_module.c", "duplicate_line": 11, "correlation_key": "fp|28e97062a01e7a272c408006948083827a7e73eb448d8a4ff16f1529052155a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/modules/ngx_win32_poll_module.c"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36109, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3cdafbcee45f73bfb6584af91de8e504ac8747fd64c35e4d3d39e3b5641854af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/modules/ngx_poll_module.c", "duplicate_line": 33, "correlation_key": "fp|3cdafbcee45f73bfb6584af91de8e504ac8747fd64c35e4d3d39e3b5641854af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/modules/ngx_select_module.c"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36108, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e0e1d2f139223d9e5c7fc200c2b81c8082d97b98ff7cc9441a1f0c54d24e6b2c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/event/modules/ngx_devpoll_module.c", "duplicate_line": 258, "correlation_key": "fp|e0e1d2f139223d9e5c7fc200c2b81c8082d97b98ff7cc9441a1f0c54d24e6b2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/event/modules/ngx_epoll_module.c"}, "region": {"startLine": 498}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36107, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9fa9615055bbf3580cec14a711f6aa8d2500830f557abd0acfb017ee24211cd3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/core/ngx_md5.c", "duplicate_line": 14, "correlation_key": "fp|9fa9615055bbf3580cec14a711f6aa8d2500830f557abd0acfb017ee24211cd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/core/ngx_sha1.c"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 36153, "scanner": "repobility-threat-engine", "fingerprint": "c431138b9fe246a46cea789e10020ab2ad72d414aed2fc93c9b7622173a8c729", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c431138b9fe246a46cea789e10020ab2ad72d414aed2fc93c9b7622173a8c729"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/os/win32/ngx_alloc.c"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 36152, "scanner": "repobility-threat-engine", "fingerprint": "f2e900e6e619949b0d0a1c16a397fd2bcc3d2615250f3195eebfed7263254ab6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2e900e6e619949b0d0a1c16a397fd2bcc3d2615250f3195eebfed7263254ab6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/os/unix/ngx_errno.c"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 36151, "scanner": "repobility-threat-engine", "fingerprint": "c09213a7fe96dac0af6660d98b79cd894b81cad454ce4119b98a94083ee08407", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c09213a7fe96dac0af6660d98b79cd894b81cad454ce4119b98a94083ee08407"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/os/unix/ngx_alloc.c"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 36146, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 36142, "scanner": "repobility-threat-engine", "fingerprint": "58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "aggregated_count": 2}}}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 36150, "scanner": "repobility-threat-engine", "fingerprint": "1d04ee6d9c0378d489f68afcba6b658994bbf0925e93d561644099ea918f1e52", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(ngx_http_request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|src/http/ngx_http_cache.h|193|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/ngx_http_cache.h"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 36145, "scanner": "repobility-threat-engine", "fingerprint": "20be00ec76714e8f935cba5457fac96656ec829c8b35095425213029d8ee3bc4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20be00ec76714e8f935cba5457fac96656ec829c8b35095425213029d8ee3bc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/core/ngx_syslog.c"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 36144, "scanner": "repobility-threat-engine", "fingerprint": "bef7766df50c9c607629c0bf50bc0becce572606f615ae2c4c43db720722845c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bef7766df50c9c607629c0bf50bc0becce572606f615ae2c4c43db720722845c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/core/ngx_string.h"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 36143, "scanner": "repobility-threat-engine", "fingerprint": "797cbc7890e4d4dc0763fe4f4062bffa11d1757691709a38853d79a083bb976f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|797cbc7890e4d4dc0763fe4f4062bffa11d1757691709a38853d79a083bb976f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/core/ngx_inet.h"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 36141, "scanner": "repobility-threat-engine", "fingerprint": "2ab4875fc3952ff926cbc5ecafe355740baf1d476d6875688bdf5f320add35fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ab4875fc3952ff926cbc5ecafe355740baf1d476d6875688bdf5f320add35fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mail/ngx_mail_imap_module.c"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 36140, "scanner": "repobility-threat-engine", "fingerprint": "568185e8a3e4d157da3cb2676021586791a5ecbb8be8f159d9ef6e872d8d1fe4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|568185e8a3e4d157da3cb2676021586791a5ecbb8be8f159d9ef6e872d8d1fe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/http/modules/ngx_http_secure_link_module.c"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 36139, "scanner": "repobility-threat-engine", "fingerprint": "e603d2e1b2b5fb1996e6dee5447aac88b1dd672a3c793982cfd6dd67ad57aa20", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e603d2e1b2b5fb1996e6dee5447aac88b1dd672a3c793982cfd6dd67ad57aa20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/core/ngx_crypt.c"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `nginx/ci-self-hosted/.github/workflows/nginx-buildbot.yml` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 36138, "scanner": "repobility-supply-chain", "fingerprint": "84ca488ee7fc550009bc04c830779003ae4339b15d450a8d2063f494bafdaefd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84ca488ee7fc550009bc04c830779003ae4339b15d450a8d2063f494bafdaefd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildbot.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `nginx/ci-self-hosted/.github/workflows/nginx-check-pr.yml` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 36137, "scanner": "repobility-supply-chain", "fingerprint": "1f7c5d1f09d50f950033bbec62b0e312de573869f35bf2d8d5ec5a3805c9dd7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f7c5d1f09d50f950033bbec62b0e312de573869f35bf2d8d5ec5a3805c9dd7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-pr.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 36105, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}]}]}