{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `new` has cognitive complexity 10 (SonarSource scale). Cognitive complexit", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `new` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 10."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `glean/lang/codemarkup/tests/haskell/code/A.o` committed in source repo: `glean/lang/codemarkup/t", "shortDescription": {"text": "[MINED134] Binary file `glean/lang/codemarkup/tests/haskell/code/A.o` committed in source repo: `glean/lang/codemarkup/tests/haskell/code/A.o` is a .o binary (13,992 bytes) committed to a repo that otherwise has 655 source files. Trojan bin"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ubuntu:24.04` unpinned: `container/services image: ubuntu:24.04` without `", "shortDescription": {"text": "[MINED126] Workflow container/services image `ubuntu:24.04` unpinned: `container/services image: ubuntu:24.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain di"}, "fullDescription": {"text": "Replace with `ubuntu:24.04@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED119", "name": "[MINED119] Dockerfile `ADD https://api.github.com/repos/facebookincubator/hsthrift/compare/main...HEAD`: Dockerfile `ADD", "shortDescription": {"text": "[MINED119] Dockerfile `ADD https://api.github.com/repos/facebookincubator/hsthrift/compare/main...HEAD`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between la"}, "fullDescription": {"text": "Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:20.04` not pinned by digest: `FROM ubuntu:20.04` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:20.04` not pinned by digest: `FROM ubuntu:20.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:20.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_fou", "shortDescription": {"text": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self.assertFalse`, but no assignment to it exists in __init__ (and no clas"}, "fullDescription": {"text": "Initialize `self.assertFalse = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_usr_to_definition_swift_class_without_revision: Test function `test_usr_to_defini", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_usr_to_definition_swift_class_without_revision: Test function `test_usr_to_definition_swift_class_without_revision` runs code but contains no assert / expect / should call \u2014 it passes regardless of beh"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED025", "name": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection.", "shortDescription": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED015", "name": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection.", "shortDescription": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1096"}, "properties": {"repository": "facebookincubator/Glean", "repoUrl": "https://github.com/facebookincubator/Glean", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 107489, "scanner": "repobility-ast-engine", "fingerprint": "2d5b97d96e92213878824442286d9c49e5019d3fe780d1fc7d9b611b56532d7e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2d5b97d96e92213878824442286d9c49e5019d3fe780d1fc7d9b611b56532d7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 107458, "scanner": "repobility-docker", "fingerprint": "2af37dcfcce51c727608c5330fb233e8335f314e94276d5723f5ecdf705da7cc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:20.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2af37dcfcce51c727608c5330fb233e8335f314e94276d5723f5ecdf705da7cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 107456, "scanner": "repobility-docker", "fingerprint": "1b900e212d56907b721e46ebdc9ca70c6ac6c53241541e716942ec6a92debb0a", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1b900e212d56907b721e46ebdc9ca70c6ac6c53241541e716942ec6a92debb0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 107454, "scanner": "repobility-docker", "fingerprint": "01c9327c17496a30f170e52ec8d43d068e0fb066b668275237ec915aaa0fabd2", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/facebookincubator/hsthrift/ci-base:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|01c9327c17496a30f170e52ec8d43d068e0fb066b668275237ec915aaa0fabd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 107453, "scanner": "repobility-agent-runtime", "fingerprint": "aa4ab32e3a0037abe80b2b90eb53c453e09f7bd40ec02d17d471f2a8fd56d739", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|aa4ab32e3a0037abe80b2b90eb53c453e09f7bd40ec02d17d471f2a8fd56d739"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 107437, "scanner": "repobility-threat-engine", "fingerprint": "6ba23ebedc9259b54914237d83c44933076b5a48b65f1c2c6913634488e2e014", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|15|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/shell/Glean/Shell/Types.hs"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 107436, "scanner": "repobility-threat-engine", "fingerprint": "140e9ed85c2c7659292b8de97546e5e7cb9dd29ae3a76e0e1ba32081a928a4a5", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval (", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|42|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/shell/Glean/Shell/Index.hs"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 107432, "scanner": "repobility-threat-engine", "fingerprint": "b9aea22e8641f71b4324351e2f76cd8564ddacc5d3887866aa098b28db6f8df2", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|40|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lang/java-alpha/index_and_extract.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 107431, "scanner": "repobility-threat-engine", "fingerprint": "db368553e29b61a27655c1636b4a410e5528b8ad32e42e64e085fb1a3e0628c0", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|39|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lang/java-alpha/debug.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 107428, "scanner": "repobility-threat-engine", "fingerprint": "6a2526b9196bfb565565737c59570dca1db7372180d7b24e7193a4a46d313dc7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Debug = True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a2526b9196bfb565565737c59570dca1db7372180d7b24e7193a4a46d313dc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/db/Glean/Database/Env.hs"}, "region": {"startLine": 162}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 107459, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 107457, "scanner": "repobility-docker", "fingerprint": "5bcb1e3925ca6a607b03b71a926633b76f5eeed1dab691b378e9ceb71c2a1665", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5bcb1e3925ca6a607b03b71a926633b76f5eeed1dab691b378e9ceb71c2a1665"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 107455, "scanner": "repobility-docker", "fingerprint": "9b98c31c66d05ff92a3082f57028ffbc20d12d3a4071dd10933d751c96b47d7b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9b98c31c66d05ff92a3082f57028ffbc20d12d3a4071dd10933d751c96b47d7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107452, "scanner": "repobility-ai-code-hygiene", "fingerprint": "28cd14a0af5555a640a06e263e73a3487df630a06b1040bae30c08d623141d0a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "glean/rts/query.cpp", "duplicate_line": 373, "correlation_key": "fp|28cd14a0af5555a640a06e263e73a3487df630a06b1040bae30c08d623141d0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/rts/query.h"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107451, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36d9fb546e7cd4f906574da2317180e6abddce36751586a32f7d4368699fdb92", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "glean/rts/fuzz/restart_query_a0/RestartQueryFuzzera0.cpp", "duplicate_line": 45, "correlation_key": "fp|36d9fb546e7cd4f906574da2317180e6abddce36751586a32f7d4368699fdb92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/rts/lookup.h"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107450, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90188326454bcc8fc62de990e8e75e7938f8104ceb9d8fa9e0ad29dbe3238f99", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "glean/lmdb/database-impl.h", "duplicate_line": 6, "correlation_key": "fp|90188326454bcc8fc62de990e8e75e7938f8104ceb9d8fa9e0ad29dbe3238f99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/rocksdb/database-impl.h"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107449, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6318dfdf7cee9c9a9faa5fe5241b66fbdb0025d6a43c5f550b0fab20933eea22", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "glean/lmdb/database-impl.cpp", "duplicate_line": 4, "correlation_key": "fp|6318dfdf7cee9c9a9faa5fe5241b66fbdb0025d6a43c5f550b0fab20933eea22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/rocksdb/database-impl.cpp"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107448, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b064bc89d8c36aa5d5fe06d3210e80ef98fc75bffad25df6dab622ef9b9a7502", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "glean/lmdb/container-impl.h", "duplicate_line": 19, "correlation_key": "fp|b064bc89d8c36aa5d5fe06d3210e80ef98fc75bffad25df6dab622ef9b9a7502"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/rocksdb/container-impl.h"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107447, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16454af32e66600cbabe50b60fb78e51ecb260afb09a4567b960633b971cf5ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "glean/lang/java-alpha/indexer/java/com/facebook/glean/descriptors/ConstructorDescriptor.java", "duplicate_line": 35, "correlation_key": "fp|16454af32e66600cbabe50b60fb78e51ecb260afb09a4567b960633b971cf5ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lang/java-alpha/indexer/java/com/facebook/glean/descriptors/MethodDescriptor.java"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107446, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c2f1a56998ed2cedf4dfec15f30298c09b0427ae0c0853a55c23bdcec16a6297", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "glean/lang/java-alpha/debug.py", "duplicate_line": 11, "correlation_key": "fp|c2f1a56998ed2cedf4dfec15f30298c09b0427ae0c0853a55c23bdcec16a6297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lang/java-alpha/index_and_extract.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107445, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ead627735d35b48564abdfe789da69cb04abde08c811ca2073151c3d9ac97165", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "glean/client/swift/GlassSwiftLocalClient.cpp", "duplicate_line": 11, "correlation_key": "fp|ead627735d35b48564abdfe789da69cb04abde08c811ca2073151c3d9ac97165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/GlassSwiftRemoteClient.cpp"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 107433, "scanner": "repobility-threat-engine", "fingerprint": "b14e4b90e865a3b6cf48ce62e13d239bfc613f020b621951bb2d921177972c66", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.indentedLog(\"ByteSpan: \" + startPosition + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b14e4b90e865a3b6cf48ce62e13d239bfc613f020b621951bb2d921177972c66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lang/java-alpha/indexer/java/com/facebook/glean/descriptors/LocationDescriptor.java"}, "region": {"startLine": 18}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `new` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, if=6, nested_bonus=3."}, "properties": {"repobilityId": 107429, "scanner": "repobility-threat-engine", "fingerprint": "3b4414fdc4c603a52390c7a1a6dcc9a8932de91a58cd1e1ec0f9302e2ff31eb5", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "new", "breakdown": {"if": 6, "else": 1, "nested_bonus": 3}, "complexity": 10, "correlation_key": "fp|3b4414fdc4c603a52390c7a1a6dcc9a8932de91a58cd1e1ec0f9302e2ff31eb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/glass/client/py3/__init__.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 107435, "scanner": "repobility-threat-engine", "fingerprint": "f3e0effdbbc0e6b486fd8b247b24e1a023ced2ced05056b860d367f1eada4ac9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3e0effdbbc0e6b486fd8b247b24e1a023ced2ced05056b860d367f1eada4ac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lmdb-clib/midl.c"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 107430, "scanner": "repobility-threat-engine", "fingerprint": "632fd5c7cf10b44ee6b5ab54214156dbff932b8918f660959dc12f232a151e0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|632fd5c7cf10b44ee6b5ab54214156dbff932b8918f660959dc12f232a151e0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/hs/Glean/RTS.hs"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 107427, "scanner": "repobility-threat-engine", "fingerprint": "0b38375b078c8418d6307aa9c570040a9643ba3a5d7e1f025acbe797cc3bdc28", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0b38375b078c8418d6307aa9c570040a9643ba3a5d7e1f025acbe797cc3bdc28", "aggregated_count": 5}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 107426, "scanner": "repobility-threat-engine", "fingerprint": "260de81ba0642c764c10ddc8308a3245399133614cea5bcca2d79dc0aed92ea9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|260de81ba0642c764c10ddc8308a3245399133614cea5bcca2d79dc0aed92ea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/GlassSwiftRemoteClient.cpp"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 107425, "scanner": "repobility-threat-engine", "fingerprint": "7ac99e1ecb672dc4c147115fcd0afb873293af205dc009102b9b43cc0cd8191c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ac99e1ecb672dc4c147115fcd0afb873293af205dc009102b9b43cc0cd8191c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/GlassSwiftLocalClient.cpp"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 107424, "scanner": "repobility-threat-engine", "fingerprint": "1ace558d02d44d3afddf97e8c35df412f0002cb73140255acfba9ab96164aef9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ace558d02d44d3afddf97e8c35df412f0002cb73140255acfba9ab96164aef9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/bench/ServerQueryBench.hs"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 107423, "scanner": "repobility-threat-engine", "fingerprint": "6051ea758843b6ed68b455d709042d2268cab1c99d8af234e1c6a7fbf59c516d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6051ea758843b6ed68b455d709042d2268cab1c99d8af234e1c6a7fbf59c516d", "aggregated_count": 3}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 107422, "scanner": "repobility-threat-engine", "fingerprint": "21aa1a14138075a8f89f01c8b7c80122f2867d8e861a9db0f0afb0fe5cfbd364", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21aa1a14138075a8f89f01c8b7c80122f2867d8e861a9db0f0afb0fe5cfbd364"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/hs/Glean/Write.hs"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 107421, "scanner": "repobility-threat-engine", "fingerprint": "dd5f3fc2016925a9d9d4e0c70d20f1cd58cbde6df3d42ce86308319a6f644013", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd5f3fc2016925a9d9d4e0c70d20f1cd58cbde6df3d42ce86308319a6f644013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/bench/ServerQueryBench.hs"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 107420, "scanner": "repobility-threat-engine", "fingerprint": "d9c17c544f37a8f07d1c60662c2c9a8462353baef0bb2bec1479082c81840ce9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9c17c544f37a8f07d1c60662c2c9a8462353baef0bb2bec1479082c81840ce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/bench/FactSetBench.hs"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 107419, "scanner": "repobility-threat-engine", "fingerprint": "8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "aggregated_count": 12}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 107418, "scanner": "repobility-threat-engine", "fingerprint": "50834904d02a933d17de987025528415e6f9e2eabdb951ebb797a889164dbe15", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50834904d02a933d17de987025528415e6f9e2eabdb951ebb797a889164dbe15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/glass/Glean/Glass/Range.hs"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 107417, "scanner": "repobility-threat-engine", "fingerprint": "958ecc9342ebda6786f088242a3a234636c666e2ef2c81826bd2b8ee3ee1659b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|958ecc9342ebda6786f088242a3a234636c666e2ef2c81826bd2b8ee3ee1659b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/hs/Glean/Repo.hs"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 107416, "scanner": "repobility-threat-engine", "fingerprint": "75d3611d1f32b9736cd23f2d1bfec60e690361b5ea0696c90d55b80964494784", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75d3611d1f32b9736cd23f2d1bfec60e690361b5ea0696c90d55b80964494784"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/bench/CompileBench.hs"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 107415, "scanner": "repobility-threat-engine", "fingerprint": "58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "aggregated_count": 2}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `glean/lang/codemarkup/tests/haskell/code/A.o` committed in source repo: `glean/lang/codemarkup/tests/haskell/code/A.o` is a .o binary (13,992 bytes) committed to a repo that otherwise has 655 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 107508, "scanner": "repobility-supply-chain", "fingerprint": "e4b1ce3d8c11bfa31e14a67bc9415dbf489655391ffed39c7b5a74ef3e912f91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4b1ce3d8c11bfa31e14a67bc9415dbf489655391ffed39c7b5a74ef3e912f91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lang/codemarkup/tests/haskell/code/A.o"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:24.04` unpinned: `container/services image: ubuntu:24.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 107507, "scanner": "repobility-supply-chain", "fingerprint": "5b2ccf4c521fe0ee89b9519049f097973dc06c8dd7f756dd4f98ff8b0d1cc617", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b2ccf4c521fe0ee89b9519049f097973dc06c8dd7f756dd4f98ff8b0d1cc617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107506, "scanner": "repobility-supply-chain", "fingerprint": "332f7a2eb5f5d9c5abb518cbcbdbea4bb61d9d6cd316dda0c488d397b486f952", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|332f7a2eb5f5d9c5abb518cbcbdbea4bb61d9d6cd316dda0c488d397b486f952"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107505, "scanner": "repobility-supply-chain", "fingerprint": "db423994550e9231f379970c25b2f35a5803cf78ddb593d9f7bc5a20acfe2210", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db423994550e9231f379970c25b2f35a5803cf78ddb593d9f7bc5a20acfe2210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107504, "scanner": "repobility-supply-chain", "fingerprint": "06bf3e8c8284475040630c00b435473300950a6fdced3ceb3e939319bd79080b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06bf3e8c8284475040630c00b435473300950a6fdced3ceb3e939319bd79080b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107503, "scanner": "repobility-supply-chain", "fingerprint": "54bc808cdf1e87623558d1d418fae3b56555785f884be2f10ad17756ce639540", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54bc808cdf1e87623558d1d418fae3b56555785f884be2f10ad17756ce639540"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v4`: `uses: actions/setup-dotnet@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107502, "scanner": "repobility-supply-chain", "fingerprint": "e031cad85304f38d5280196a028c711463250c34d424c096fe2793f819ef00e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e031cad85304f38d5280196a028c711463250c34d424c096fe2793f819ef00e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107501, "scanner": "repobility-supply-chain", "fingerprint": "3848eaea9bda5f4a63b83be7fd635db928a719b3c27c2ba053a0b7dd1ce75bc3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3848eaea9bda5f4a63b83be7fd635db928a719b3c27c2ba053a0b7dd1ce75bc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107500, "scanner": "repobility-supply-chain", "fingerprint": "acbf90ed74e7786d5dd23c6db1abbed02a2dca01a560f55937fe81d4d6fac2aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acbf90ed74e7786d5dd23c6db1abbed02a2dca01a560f55937fe81d4d6fac2aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107499, "scanner": "repobility-supply-chain", "fingerprint": "d18e0e6a2e532c646f0a331b49b4eeae9cd1413780824c3dd69952d43ffa7e9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d18e0e6a2e532c646f0a331b49b4eeae9cd1413780824c3dd69952d43ffa7e9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/glean-docker.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107498, "scanner": "repobility-supply-chain", "fingerprint": "8b54eb3c8e624eba5650cdaafaba0e27a9aa429ba9ea0de99e501d9a3bcc708a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b54eb3c8e624eba5650cdaafaba0e27a9aa429ba9ea0de99e501d9a3bcc708a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-aarch64.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107497, "scanner": "repobility-supply-chain", "fingerprint": "8f6af114bf3b4231c3e1961980c86f953742b17f7ff125e50beec07152aeb51a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f6af114bf3b4231c3e1961980c86f953742b17f7ff125e50beec07152aeb51a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-aarch64.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107496, "scanner": "repobility-supply-chain", "fingerprint": "43c2224b37b6cbe992a3121c84df50223f28f0d7bce65548d496ed1717efd5ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43c2224b37b6cbe992a3121c84df50223f28f0d7bce65548d496ed1717efd5ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-aarch64.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107495, "scanner": "repobility-supply-chain", "fingerprint": "47b420a05610220602fd975ebb56340680317cf2a971d9bd948d90459735c407", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47b420a05610220602fd975ebb56340680317cf2a971d9bd948d90459735c407"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-aarch64.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `JamesIves/github-pages-deploy-action` pinned to mutable ref `@releases/v3`: `uses: JamesIves/github-pages-deploy-action@releases/v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107494, "scanner": "repobility-supply-chain", "fingerprint": "70cee21a25bc8475bc453467e3e29cba6afa244a2d02b6fe1cc2a1743112f88e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70cee21a25bc8475bc453467e3e29cba6afa244a2d02b6fe1cc2a1743112f88e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh_pages.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 107493, "scanner": "repobility-supply-chain", "fingerprint": "f0360eb48439a748b6e4d1df0db8fdfb8df594b720dd18cdd8e35aa944d8555f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0360eb48439a748b6e4d1df0db8fdfb8df594b720dd18cdd8e35aa944d8555f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gh_pages.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://api.github.com/repos/facebookincubator/hsthrift/compare/main...HEAD`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 107492, "scanner": "repobility-supply-chain", "fingerprint": "c9dea0da8c08ff79928e75913f4ac1f477d8a4f04ac1007245533b56d49ae182", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9dea0da8c08ff79928e75913f4ac1f477d8a4f04ac1007245533b56d49ae182"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:20.04` not pinned by digest: `FROM ubuntu:20.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 107491, "scanner": "repobility-supply-chain", "fingerprint": "48409f85f35cb20bc45f1a37217c718169b0a87fd2fb94a7f8ca07dfd4e7e733", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48409f85f35cb20bc45f1a37217c718169b0a87fd2fb94a7f8ca07dfd4e7e733"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ghcr.io/facebookincubator/hsthrift/ci-base:latest` not pinned by digest: `FROM ghcr.io/facebookincubator/hsthrift/ci-base:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 107490, "scanner": "repobility-supply-chain", "fingerprint": "46d929f67a1797098725e5fde17b9d1001da9f56fc414bc6eeefc7a1833c26a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46d929f67a1797098725e5fde17b9d1001da9f56fc414bc6eeefc7a1833c26a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self.assertFalse`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107488, "scanner": "repobility-ast-engine", "fingerprint": "2138f1199645ba2011c24948ff76601e1c2face4d46facf7d608e9637e156650", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2138f1199645ba2011c24948ff76601e1c2face4d46facf7d608e9637e156650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 254}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._drain_stderr_lines` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self._drain_stderr_lines`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107487, "scanner": "repobility-ast-engine", "fingerprint": "2358b9c54d60a16d2b9648c4f24b22d16d606723a9e3c31d01586a4e51a66f10", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2358b9c54d60a16d2b9648c4f24b22d16d606723a9e3c31d01586a4e51a66f10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertNotIn` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self.assertNotIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107486, "scanner": "repobility-ast-engine", "fingerprint": "df68ded07ca3ab56dcdc7bd1f9e729252ca27fc5203c262d8ca5ace6654e75d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df68ded07ca3ab56dcdc7bd1f9e729252ca27fc5203c262d8ca5ace6654e75d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107485, "scanner": "repobility-ast-engine", "fingerprint": "dd41331e569b400da655be9e1a5804085ff2bd5cc004ba5cd7bc9200c447ea68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dd41331e569b400da655be9e1a5804085ff2bd5cc004ba5cd7bc9200c447ea68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107484, "scanner": "repobility-ast-engine", "fingerprint": "1d6972be2c92a9310fcd609c0c6fec9613d6510b0ba668c20391eff900ed6910", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d6972be2c92a9310fcd609c0c6fec9613d6510b0ba668c20391eff900ed6910"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107483, "scanner": "repobility-ast-engine", "fingerprint": "c0d3e56ad27f0eee8e4ee7d8cff47df17d01d3a654acf11093df4ea8d4941fa5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c0d3e56ad27f0eee8e4ee7d8cff47df17d01d3a654acf11093df4ea8d4941fa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107482, "scanner": "repobility-ast-engine", "fingerprint": "95b8a0113a39250fcbda0cc6167932847a35be5525548b3d1e4f8d0d7ccc9927", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95b8a0113a39250fcbda0cc6167932847a35be5525548b3d1e4f8d0d7ccc9927"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_request_and_get_response` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self.send_request_and_get_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107481, "scanner": "repobility-ast-engine", "fingerprint": "10cfb672400bf2332bd2f7bafa73fb5f0c30521634a303de6595eaf4f548304e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|10cfb672400bf2332bd2f7bafa73fb5f0c30521634a303de6595eaf4f548304e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._start_process` used but never assigned in __init__: Method `test_usr_to_definition_with_mode_test_not_found` of class `SwiftGlassClientE2ETest` reads `self._start_process`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107480, "scanner": "repobility-ast-engine", "fingerprint": "cdf578bc2217942ea0d1b8f9deb28ffc66d669d61e7d98f4a9ba56efe34ceecd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cdf578bc2217942ea0d1b8f9deb28ffc66d669d61e7d98f4a9ba56efe34ceecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.fail` used but never assigned in __init__: Method `send_invalid_request_and_get_response` of class `SwiftGlassClientE2ETest` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107479, "scanner": "repobility-ast-engine", "fingerprint": "953d8a07959a30799f8b9efc7821130be219349824156a05f14661e471e897d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|953d8a07959a30799f8b9efc7821130be219349824156a05f14661e471e897d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.fail` used but never assigned in __init__: Method `send_invalid_request_and_get_response` of class `SwiftGlassClientE2ETest` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107478, "scanner": "repobility-ast-engine", "fingerprint": "6ad41d8f3da9b2d0cd60221b7bffd6b9ff5b5dcffcf05debbb082fc7c331b123", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6ad41d8f3da9b2d0cd60221b7bffd6b9ff5b5dcffcf05debbb082fc7c331b123"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.fail` used but never assigned in __init__: Method `send_request_and_get_response` of class `SwiftGlassClientE2ETest` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107477, "scanner": "repobility-ast-engine", "fingerprint": "3c333b9fc7c4c5f081843ddd22e5e994426b5a48d55e6f551da87a76eb5735f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c333b9fc7c4c5f081843ddd22e5e994426b5a48d55e6f551da87a76eb5735f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.fail` used but never assigned in __init__: Method `send_request_and_get_response` of class `SwiftGlassClientE2ETest` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107476, "scanner": "repobility-ast-engine", "fingerprint": "f9fd257e66f5a1e3c5c6950753b81628b06b6829d8a32df957e4d2d86f85f16f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f9fd257e66f5a1e3c5c6950753b81628b06b6829d8a32df957e4d2d86f85f16f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.fail` used but never assigned in __init__: Method `send_request_and_get_response` of class `SwiftGlassClientE2ETest` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107475, "scanner": "repobility-ast-engine", "fingerprint": "e4fcb8c16afd33c67efb7990dff9ed3ab0ac17e22c4a0eefee27fe583b93b3d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e4fcb8c16afd33c67efb7990dff9ed3ab0ac17e22c4a0eefee27fe583b93b3d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.fail` used but never assigned in __init__: Method `_wait_for_glass_initialization` of class `SwiftGlassClientE2ETest` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107474, "scanner": "repobility-ast-engine", "fingerprint": "89326743e29c636db343c0d4f5bf17202f2a02e88c93c6f8dd955af45c9e399f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89326743e29c636db343c0d4f5bf17202f2a02e88c93c6f8dd955af45c9e399f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.fail` used but never assigned in __init__: Method `_wait_for_glass_initialization` of class `SwiftGlassClientE2ETest` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107473, "scanner": "repobility-ast-engine", "fingerprint": "57a3958589851e14b6c6c55bed25aaa414562dcb97a021b4d17b16f8817a82fa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|57a3958589851e14b6c6c55bed25aaa414562dcb97a021b4d17b16f8817a82fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.fail` used but never assigned in __init__: Method `_wait_for_glass_initialization` of class `SwiftGlassClientE2ETest` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107472, "scanner": "repobility-ast-engine", "fingerprint": "1b5d4c0d3aef04380d75a7336d107f97b332b050385c207ed5c181552bd783c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1b5d4c0d3aef04380d75a7336d107f97b332b050385c207ed5c181552bd783c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._binary_path` used but never assigned in __init__: Method `_start_process` of class `SwiftGlassClientE2ETest` reads `self._binary_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107471, "scanner": "repobility-ast-engine", "fingerprint": "cca7d65ca6cf5bb94308e26990a6c4e3ff4bb11362bd344b570b693cbe1ed276", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cca7d65ca6cf5bb94308e26990a6c4e3ff4bb11362bd344b570b693cbe1ed276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._wait_for_glass_initialization` used but never assigned in __init__: Method `_start_process` of class `SwiftGlassClientE2ETest` reads `self._wait_for_glass_initialization`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107470, "scanner": "repobility-ast-engine", "fingerprint": "c936e89abd9f46e2ce6c5d5209cae594e19c6f01ea45371986ba1bef9fc13666", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c936e89abd9f46e2ce6c5d5209cae594e19c6f01ea45371986ba1bef9fc13666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._binary_path` used but never assigned in __init__: Method `setUp` of class `SwiftGlassClientE2ETest` reads `self._binary_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107469, "scanner": "repobility-ast-engine", "fingerprint": "53895dd8721b6d563035a7b8af59bffc0336693b1e7fb535cdfd8b0fd72ecd35", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|53895dd8721b6d563035a7b8af59bffc0336693b1e7fb535cdfd8b0fd72ecd35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._binary_path` used but never assigned in __init__: Method `setUp` of class `SwiftGlassClientE2ETest` reads `self._binary_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107468, "scanner": "repobility-ast-engine", "fingerprint": "a25e269656350d9220c21654afb6cbb794f96fb6bc9ba88cf4f844bcf99b22ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a25e269656350d9220c21654afb6cbb794f96fb6bc9ba88cf4f844bcf99b22ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._binary_path` used but never assigned in __init__: Method `setUp` of class `SwiftGlassClientE2ETest` reads `self._binary_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107467, "scanner": "repobility-ast-engine", "fingerprint": "cb84fdbb8c41191c95ef379ee2c0fdb97d754f9022a90aa97e8e63c16f6e6fb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb84fdbb8c41191c95ef379ee2c0fdb97d754f9022a90aa97e8e63c16f6e6fb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._binary_path` used but never assigned in __init__: Method `setUp` of class `SwiftGlassClientE2ETest` reads `self._binary_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107466, "scanner": "repobility-ast-engine", "fingerprint": "8b435135bb6a9506a828161b47ab3fadb5257425f421ee493195b84dcb1930ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8b435135bb6a9506a828161b47ab3fadb5257425f421ee493195b84dcb1930ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.revision` used but never assigned in __init__: Method `setUp` of class `SwiftGlassClientE2ETest` reads `self.revision`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107465, "scanner": "repobility-ast-engine", "fingerprint": "5d2cdd0be82f4880ff93671a7651f77321ca49c31baec28a1bd3d0c5556b47b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d2cdd0be82f4880ff93671a7651f77321ca49c31baec28a1bd3d0c5556b47b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._binary_path` used but never assigned in __init__: Method `setUp` of class `SwiftGlassClientE2ETest` reads `self._binary_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 107464, "scanner": "repobility-ast-engine", "fingerprint": "1152df9a657349d2477e5b70e6611dd5a9741f00c08be41f08d04d8be1c2fa9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1152df9a657349d2477e5b70e6611dd5a9741f00c08be41f08d04d8be1c2fa9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_usr_to_definition_swift_class_without_revision: Test function `test_usr_to_definition_swift_class_without_revision` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 107463, "scanner": "repobility-ast-engine", "fingerprint": "b530599931f3bf8f6e356df2956df2701bbb8103b96ec10c75290d34f8d687d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b530599931f3bf8f6e356df2956df2701bbb8103b96ec10c75290d34f8d687d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 572}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_usr_to_definition_swift_class_with_revision: Test function `test_usr_to_definition_swift_class_with_revision` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 107462, "scanner": "repobility-ast-engine", "fingerprint": "832d3c203e9281d01251a4a471605344fe7b9f378d9254f7f2a671067a6fafc4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|832d3c203e9281d01251a4a471605344fe7b9f378d9254f7f2a671067a6fafc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/e2e_test/test_swift_glass_client.py"}, "region": {"startLine": 560}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_more_fun: Test function `test_more_fun` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 107461, "scanner": "repobility-ast-engine", "fingerprint": "19406caabf4639c65be48e57f7b9da228a3f6b1faa36ccd5c75410e9abd3d55c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|19406caabf4639c65be48e57f7b9da228a3f6b1faa36ccd5c75410e9abd3d55c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lang/python-pyrefly/tests/regression/without_dynamic_import/core/xrefs/as.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_fun: Test function `test_fun` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 107460, "scanner": "repobility-ast-engine", "fingerprint": "3875ad8b21cd24dd6f0ad79d4f50f7460441b1632079e7378fd834dc476d01fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3875ad8b21cd24dd6f0ad79d4f50f7460441b1632079e7378fd834dc476d01fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lang/python-pyrefly/tests/regression/without_dynamic_import/core/xrefs/as.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 107444, "scanner": "repobility-threat-engine", "fingerprint": "bef69125e9358e93b0dd91c76c0e3b96ee70e0f8cf00cd8a6b6d974337100fe5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bef69125e9358e93b0dd91c76c0e3b96ee70e0f8cf00cd8a6b6d974337100fe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/website/src/pages/index.js"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 107434, "scanner": "repobility-threat-engine", "fingerprint": "328a66f93c1f2c699048b8d002cdea2d04a28ec5048f9a7c6cc3ad2696236443", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CompilerConfigurationKey.create(\"output directory\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|328a66f93c1f2c699048b8d002cdea2d04a28ec5048f9a7c6cc3ad2696236443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/lang/kotlin/indexer/KotlinIndexerConfigurationKeys.kt"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 107414, "scanner": "repobility-threat-engine", "fingerprint": "46aa9ec65ffaa582a1b9e71e8511e9f37da0992e3d8f2788c432e0185ab2aba3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46aa9ec65ffaa582a1b9e71e8511e9f37da0992e3d8f2788c432e0185ab2aba3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/glass/Glean/Glass/Handler/Cxx.hs"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 107413, "scanner": "repobility-threat-engine", "fingerprint": "ed5ba5082c55e6f31e3562dcdc5652fcd8805b1eaa376372e7118ac46c68c579", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed5ba5082c55e6f31e3562dcdc5652fcd8805b1eaa376372e7118ac46c68c579"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/client/swift/hash.cpp"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 107412, "scanner": "repobility-threat-engine", "fingerprint": "31d09731188077a7b78e5518953b87354094b3eb5b492ec1daf051665dcc8d69", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|31d09731188077a7b78e5518953b87354094b3eb5b492ec1daf051665dcc8d69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/angle/Glean/Angle/Hash.hs"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED025", "level": "error", "message": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "properties": {"repobilityId": 107443, "scanner": "repobility-threat-engine", "fingerprint": "96dc836225142600a487e27da570872365156613dc4fd4a1e954afc853366c71", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-eval", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347956+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 164}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96dc836225142600a487e27da570872365156613dc4fd4a1e954afc853366c71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/shell/Glean/Shell/Types.hs"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED025", "level": "error", "message": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "properties": {"repobilityId": 107442, "scanner": "repobility-threat-engine", "fingerprint": "78442ffaa4688aa02b1699ca625102bac636cccbde115457ecad8d201acb54d7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-eval", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347956+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 164}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78442ffaa4688aa02b1699ca625102bac636cccbde115457ecad8d201acb54d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/shell/Glean/Shell/Index.hs"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 107441, "scanner": "repobility-threat-engine", "fingerprint": "68ef5403f3f60798dbdff282e840112a6cbcaa82eebaac504ab4ecfc56ebbdfb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68ef5403f3f60798dbdff282e840112a6cbcaa82eebaac504ab4ecfc56ebbdfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/shell/Glean/Shell/Types.hs"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 107440, "scanner": "repobility-threat-engine", "fingerprint": "f3cd276af401be0cb767cd12f505afbbb763d206ecae257fa57604014e1b0b16", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3cd276af401be0cb767cd12f505afbbb763d206ecae257fa57604014e1b0b16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/shell/Glean/Shell/Index.hs"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 107439, "scanner": "repobility-threat-engine", "fingerprint": "ce6be558d2fdf7a56697244356ea2464357ab0c1dd7ade2ab56e1e8ca62e2284", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce6be558d2fdf7a56697244356ea2464357ab0c1dd7ade2ab56e1e8ca62e2284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/shell/Glean/Shell/Types.hs"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 107438, "scanner": "repobility-threat-engine", "fingerprint": "1fd99c83627c8ecd7391cc6f2dddade0b9c17002ae6d53e6821e52cdc09079bf", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1fd99c83627c8ecd7391cc6f2dddade0b9c17002ae6d53e6821e52cdc09079bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "glean/shell/Glean/Shell/Index.hs"}, "region": {"startLine": 42}}}]}]}]}