{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `litellm` has no version pin: Unpinned pip requirement means every fresh install may resolv", "shortDescription": {"text": "[MINED124] requirements.txt: `litellm` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible insta"}, "fullDescription": {"text": "Replace `litellm` with `litellm==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC089", "name": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended ", "shortDescription": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "fullDescription": {"text": "Bind to `127.0.0.1:PORT` and front with a reverse proxy."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_fetch_rows` has cognitive complexity 17 (SonarSource scale). Cognitive c", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_fetch_rows` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion a"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 17."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 2 more): Same pattern found in 2 a", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 11 more): Same pattern found in 11 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 29 more): Same pattern found in 29 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 33 more): Same pattern found in 33 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED033] Go Recover Without Log (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 230 more): Same pattern found in 230 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 230 more): Same pattern found in 230 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 97 more): Same pattern found in 97 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 97 more): Same pattern found in 97 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-go@<40-char-sha>  # v5` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a ", "shortDescription": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can "}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /rerank has no auth: Handler `rerank` is registered with router/app.post(...) but no Depends/Sec", "shortDescription": {"text": "[MINED112] FastAPI POST /rerank has no auth: Handler `rerank` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.", "shortDescription": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/205"}, "properties": {"repository": "trpc-group/trpc-agent-go", "repoUrl": "https://github.com/trpc-group/trpc-agent-go", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `litellm` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 50301, "scanner": "repobility-supply-chain", "fingerprint": "8fc0d071651f191a05ed0154de30cf0b7f3d7e8118d3c1914ee9fb776aab0810", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fc0d071651f191a05ed0154de30cf0b7f3d7e8118d3c1914ee9fb776aab0810"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `uvicorn` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 50300, "scanner": "repobility-supply-chain", "fingerprint": "1e1a46e886fd9e3ccc91dfd9deabfd5345d14e081d6be633ca1d8d60e2ec3f89", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e1a46e886fd9e3ccc91dfd9deabfd5345d14e081d6be633ca1d8d60e2ec3f89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50273, "scanner": "repobility-ast-engine", "fingerprint": "b8a2b0241a50db3368ad731291e4701b7bb34102d95cd4ad151d97535e3d75e3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8a2b0241a50db3368ad731291e4701b7bb34102d95cd4ad151d97535e3d75e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/skills/ocr/scripts/ocr_url.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50272, "scanner": "repobility-ast-engine", "fingerprint": "c0b713b4469f5df283afeea00f62eddfee0889477c7a19f767e1e4340ad3c4cc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c0b713b4469f5df283afeea00f62eddfee0889477c7a19f767e1e4340ad3c4cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/skills/ocr/scripts/ocr.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50271, "scanner": "repobility-ast-engine", "fingerprint": "bfa0e44917fa43f03ef4188de5b1b6406532a99445b7859a1729faa0baacb8af", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bfa0e44917fa43f03ef4188de5b1b6406532a99445b7859a1729faa0baacb8af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/scripts/download_gaia_2023_level1_validation.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50270, "scanner": "repobility-ast-engine", "fingerprint": "3992844ebbdbccdb9e09f1f084dca94352d952ee26c578c41453d71e5c223df2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3992844ebbdbccdb9e09f1f084dca94352d952ee26c578c41453d71e5c223df2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/scripts/download_gaia_2023_level1_validation.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50269, "scanner": "repobility-ast-engine", "fingerprint": "612474f6a049e17cd85b8115e0cb3334c22a4e5b82bea0613d5e4d12956623e2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|612474f6a049e17cd85b8115e0cb3334c22a4e5b82bea0613d5e4d12956623e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/scripts/download_gaia_2023_level1_validation.py"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50268, "scanner": "repobility-ast-engine", "fingerprint": "0c343d8edf2f277153d4298f84af5a77b607f30449896be1ffda3b8fb16c236a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c343d8edf2f277153d4298f84af5a77b607f30449896be1ffda3b8fb16c236a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skillrun/skills/python_math/scripts/fib.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50267, "scanner": "repobility-ast-engine", "fingerprint": "f88a440e7a3a7597d70e9d38184d80853bed4385642f2bd3e74de5b706de5642", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f88a440e7a3a7597d70e9d38184d80853bed4385642f2bd3e74de5b706de5642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/adk_server.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50266, "scanner": "repobility-ast-engine", "fingerprint": "a6ef7222b47926f067324d80a2d74d1c9e8d787bbb8eb086a3f1d61413d2afcf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6ef7222b47926f067324d80a2d74d1c9e8d787bbb8eb086a3f1d61413d2afcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/adk_server.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50265, "scanner": "repobility-ast-engine", "fingerprint": "22143c883bd9cf5c33cdc18732ffa27abb571621a6137dbeae4619f9e024b1e5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22143c883bd9cf5c33cdc18732ffa27abb571621a6137dbeae4619f9e024b1e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/nano-banana-pro/scripts/generate_image.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50264, "scanner": "repobility-ast-engine", "fingerprint": "b289da8f9bd3d551d8c9885aee71a670f34ac34d80e695e9dc75d2503fda000f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b289da8f9bd3d551d8c9885aee71a670f34ac34d80e695e9dc75d2503fda000f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/nano-banana-pro/scripts/generate_image.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50263, "scanner": "repobility-ast-engine", "fingerprint": "04475ad0d2b008cedeb73af7c0a4be9967ff3227806a48e8218d197e976da89f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04475ad0d2b008cedeb73af7c0a4be9967ff3227806a48e8218d197e976da89f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/skill-creator/scripts/package_skill.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50262, "scanner": "repobility-ast-engine", "fingerprint": "ed2879e87b906a07ee957d4942c383d8ee468a282aa4605a82cded2aa53b0c90", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ed2879e87b906a07ee957d4942c383d8ee468a282aa4605a82cded2aa53b0c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50261, "scanner": "repobility-ast-engine", "fingerprint": "1783a4d809f4d90a6469f1d925a76f8a87c7223be3a3f5a9dc162537c4193c70", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1783a4d809f4d90a6469f1d925a76f8a87c7223be3a3f5a9dc162537c4193c70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 292}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50260, "scanner": "repobility-ast-engine", "fingerprint": "26c90c988e6f941ffdcf589eca09c916788ae257e549f0840e821e8cf59a080e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|26c90c988e6f941ffdcf589eca09c916788ae257e549f0840e821e8cf59a080e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50259, "scanner": "repobility-ast-engine", "fingerprint": "ae602e0c8bb2a1027d8476e77fccedc8705b53b68dd34b677fd666cfceb222e6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae602e0c8bb2a1027d8476e77fccedc8705b53b68dd34b677fd666cfceb222e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/model-usage/scripts/model_usage.py"}, "region": {"startLine": 287}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50258, "scanner": "repobility-ast-engine", "fingerprint": "4179c93069a50a8327ad2da21679731da72fb6a48efb3ff3e6a5b515e53eb561", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4179c93069a50a8327ad2da21679731da72fb6a48efb3ff3e6a5b515e53eb561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/model-usage/scripts/model_usage.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 50235, "scanner": "repobility-threat-engine", "fingerprint": "1f3ee1e66008a122d9643312d274f441fd953938ff3ccc0d33c2a81c3b7ca4f9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        return datetime.strptime(value, \"%Y-%m-%d\").date()\n    except Exception:\n        return", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f3ee1e66008a122d9643312d274f441fd953938ff3ccc0d33c2a81c3b7ca4f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/model-usage/scripts/model_usage.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC002", "level": "warning", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 50218, "scanner": "repobility-threat-engine", "fingerprint": "130832c01f824acf16c375cddcc7e1c2d3a490c1107e98afb347ebb16e05d757", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "APIKey  = \"<redacted>\"", "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|3|apikey redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/memory/compare/main.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC089", "level": "warning", "message": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "properties": {"repobilityId": 50217, "scanner": "repobility-threat-engine", "fingerprint": "aa10c851cb81457408e876f9650ffba73a55968d00c692252e0dcdc298a81663", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".ListenAndServe(\":8080\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC089", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa10c851cb81457408e876f9650ffba73a55968d00c692252e0dcdc298a81663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/openapitool/mockserver/main.go"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC089", "level": "warning", "message": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "properties": {"repobilityId": 50216, "scanner": "repobility-threat-engine", "fingerprint": "92ec890a205deea65105fe08d40901fc7f9c069aa74a50c88a13058d49a95def", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".ListenAndServe(\":3000\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC089", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92ec890a205deea65105fe08d40901fc7f9c069aa74a50c88a13058d49a95def"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcptool/http_headers/mcpserver/main.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 50201, "scanner": "repobility-threat-engine", "fingerprint": "71efc545d9d6c7a5ec73da603e7bee24b99a3dea9ccede784e2f1e72f1ae8cf3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|71efc545d9d6c7a5ec73da603e7bee24b99a3dea9ccede784e2f1e72f1ae8cf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2ui/server/sbti/main.go"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 50200, "scanner": "repobility-threat-engine", "fingerprint": "32eac556c9d40eef25ef8811711204d14bdcd92972df5ed408b9e29a0f0d976f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|32eac556c9d40eef25ef8811711204d14bdcd92972df5ed408b9e29a0f0d976f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2ui/server/default/main.go"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 50199, "scanner": "repobility-threat-engine", "fingerprint": "164d46a9f28ae65ea2c4de8dc0c9b11f3560e9ac5b3a75fb7b461298fecec65f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:    *listenAddr,\n\t\tHandler: mux,\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|164d46a9f28ae65ea2c4de8dc0c9b11f3560e9ac5b3a75fb7b461298fecec65f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2amultipath/server/main.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `_fetch_rows` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=3, for=1, if=5, nested_bonus=6, or=1, while=1."}, "properties": {"repobilityId": 50197, "scanner": "repobility-threat-engine", "fingerprint": "c5f54eb5d7bdc79c7dfc6db207e3dbfac22e765f1f47b629c50879547e0e9083", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 17 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_fetch_rows", "breakdown": {"if": 5, "or": 1, "for": 1, "break": 3, "while": 1, "nested_bonus": 6}, "complexity": 17, "correlation_key": "fp|c5f54eb5d7bdc79c7dfc6db207e3dbfac22e765f1f47b629c50879547e0e9083"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/scripts/download_gaia_2023_level1_validation.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50178, "scanner": "repobility-threat-engine", "fingerprint": "720de0a9f19885a6736a6fced55e09b72700f87c996ba75acf1c316e7ed2948b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|145|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/metric/mysql/mysql.go"}, "region": {"startLine": 145}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50177, "scanner": "repobility-threat-engine", "fingerprint": "ebc0e06b8b61e15aa85afec36be9e34fea8bdfec78a720ba572473894b94a4c4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|160|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/internal/mysqldb/schema.go"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50176, "scanner": "repobility-threat-engine", "fingerprint": "1caf38d9b66d8db4573a06e875733beeeeeeb329065b25f12f087131980db6e1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|114|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalresult/mysql/mysql.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 50166, "scanner": "repobility-threat-engine", "fingerprint": "c48193fc51b769009641965f7fde5d763ae85a9fef08375fb8c9a25ab1bed097", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Debug = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c48193fc51b769009641965f7fde5d763ae85a9fef08375fb8c9a25ab1bed097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codeexecutor/e2b/internal/codeinterpreter/client.go"}, "region": {"startLine": 82}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6366, "scanner": "repobility-threat-engine", "fingerprint": "12dc69830e553244f769a2d758eec374ef23f98521b91f184961913266923601", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12dc69830e553244f769a2d758eec374ef23f98521b91f184961913266923601"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/browser-server/src/host-profile.js"}, "region": {"startLine": 162}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6365, "scanner": "repobility-threat-engine", "fingerprint": "1b01badedcd9c3616c5d423dd19e64206169be50c0e2b4670e6734e678948fb8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b01badedcd9c3616c5d423dd19e64206169be50c0e2b4670e6734e678948fb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/browser-extension/background.js"}, "region": {"startLine": 1206}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 6358, "scanner": "repobility-agent-runtime", "fingerprint": "63b76bb03b8028af058e3bc330426fde39d300de134f131dc134b4b2a297e492", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|63b76bb03b8028af058e3bc330426fde39d300de134f131dc134b4b2a297e492"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agui/client/tdesign-chat/src/App.tsx"}, "region": {"startLine": 149}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6352, "scanner": "repobility-ai-code-hygiene", "fingerprint": "815e8235daa7870133fa3c4207203a477d1719fccca06f52688e25f63ea9fde9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/graphagent/option.go", "duplicate_line": 20, "correlation_key": "fp|815e8235daa7870133fa3c4207203a477d1719fccca06f52688e25f63ea9fde9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/llmagent/option.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6347, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46e01531e58298b6d68bfe82be4a60c76da2b7076edd34c1226a500d6982a263", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "storage/elasticsearch/internal/elasticsearch/elasticsearch_v7.go", "duplicate_line": 30, "correlation_key": "fp|46e01531e58298b6d68bfe82be4a60c76da2b7076edd34c1226a500d6982a263"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "storage/elasticsearch/internal/elasticsearch/elasticsearch_v9.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6346, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3100d2d41f961d5dd3191e6e5be0b29462d179d093d650b509cda3906ef8c250", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "storage/elasticsearch/internal/elasticsearch/elasticsearch_v7.go", "duplicate_line": 30, "correlation_key": "fp|3100d2d41f961d5dd3191e6e5be0b29462d179d093d650b509cda3906ef8c250"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "storage/elasticsearch/internal/elasticsearch/elasticsearch_v8.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 6345, "scanner": "repobility-ai-code-hygiene", "fingerprint": "737c40e2bb892d55490cd97dec6fd2a507385513272863e608b997b5ff0046b9", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "v8", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "storage/elasticsearch/internal/elasticsearch/elasticsearch.go", "correlation_key": "fp|737c40e2bb892d55490cd97dec6fd2a507385513272863e608b997b5ff0046b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "storage/elasticsearch/internal/elasticsearch/elasticsearch_v8.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 6344, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f932e0e3d6621af16a99369c23ad85fe05d912105aa0544238293292f738597", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "v7", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "storage/elasticsearch/internal/elasticsearch/elasticsearch.go", "correlation_key": "fp|4f932e0e3d6621af16a99369c23ad85fe05d912105aa0544238293292f738597"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "storage/elasticsearch/internal/elasticsearch/elasticsearch_v7.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50257, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5695ff145c58060ea49bf1a2b986f1e7f2c0c9e4a2f7d9db59f3a59e94783c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evaluator/llm/finalresponse/finalresponse.go", "duplicate_line": 2, "correlation_key": "fp|d5695ff145c58060ea49bf1a2b986f1e7f2c0c9e4a2f7d9db59f3a59e94783c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evaluator/llm/rubriccritic/rubriccritic.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50256, "scanner": "repobility-ai-code-hygiene", "fingerprint": "786f13ea4656a9cd370a6c7c9526ff3ce52a249ca9062f0be3debb4a5712ee98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evaluator/llm/finalresponse/options.go", "duplicate_line": 22, "correlation_key": "fp|786f13ea4656a9cd370a6c7c9526ff3ce52a249ca9062f0be3debb4a5712ee98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evaluator/llm/rubriccritic/options.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50255, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3a1477d780931d52b93ae49d6238ffb001c7715b676abd9f6bd7f9ae429bb20", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evaluator/llm/operator/messagesconstructor/rubricknowledgerecall/rubricknowledgerecall.go", "duplicate_line": 71, "correlation_key": "fp|c3a1477d780931d52b93ae49d6238ffb001c7715b676abd9f6bd7f9ae429bb20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evaluator/llm/operator/messagesconstructor/rubricresponse/rubricresponse.go"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50254, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0b099e958f63dd8d1cb5dbd1dacde524fac1c39e8ff6c5b773f188e813d2234", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evaluator/llm/operator/messagesconstructor/rubriccritic/rubriccritic.go", "duplicate_line": 2, "correlation_key": "fp|b0b099e958f63dd8d1cb5dbd1dacde524fac1c39e8ff6c5b773f188e813d2234"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evaluator/llm/operator/messagesconstructor/rubricresponse/rubricresponse.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50253, "scanner": "repobility-ai-code-hygiene", "fingerprint": "293cf5a8ca994bff081d70e55b610eab30878c2f2c4851d928c2225702da71ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evaluator/llm/operator/messagesconstructor/rubriccritic/rubriccritic.go", "duplicate_line": 2, "correlation_key": "fp|293cf5a8ca994bff081d70e55b610eab30878c2f2c4851d928c2225702da71ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evaluator/llm/operator/messagesconstructor/rubricreferencecritic/rubricreferencecritic.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50252, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b31829a9c40e10968dfb091ee09e6a4d92bc0a82824e7957f08f01f05adbeed5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evaluator/llm/operator/messagesconstructor/rubriccritic/rubriccritic.go", "duplicate_line": 2, "correlation_key": "fp|b31829a9c40e10968dfb091ee09e6a4d92bc0a82824e7957f08f01f05adbeed5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evaluator/llm/operator/messagesconstructor/rubricknowledgerecall/rubricknowledgerecall.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50251, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6fb817654d361311f5cf338a6dc0abf9001bde920b2826d8f179511aa5f0467d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evaluator/llm/internal/templateresolver/scorer.go", "duplicate_line": 71, "correlation_key": "fp|6fb817654d361311f5cf338a6dc0abf9001bde920b2826d8f179511aa5f0467d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evaluator/llm/operator/internal/rubrics/rubrics.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "29246cfc04961eb725244d8e9bb4cc3ccefeb722e3a7c7814a5e92571c89671e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evaluator/llm/finalresponse/options.go", "duplicate_line": 22, "correlation_key": "fp|29246cfc04961eb725244d8e9bb4cc3ccefeb722e3a7c7814a5e92571c89671e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evaluator/llm/hallucination/options.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50249, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a31d8b91ea46859089f68f6680219566ee7ef2b6875f96a609a910308cf40818", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evaluator/llm/finalresponse/finalresponse.go", "duplicate_line": 2, "correlation_key": "fp|a31d8b91ea46859089f68f6680219566ee7ef2b6875f96a609a910308cf40818"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evaluator/llm/hallucination/hallucination.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50248, "scanner": "repobility-ai-code-hygiene", "fingerprint": "913b71a4ecd2c208633bc1bc29117940e912653e9149140f3af8812a2ce03990", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evalresult/mysql/options.go", "duplicate_line": 1, "correlation_key": "fp|913b71a4ecd2c208633bc1bc29117940e912653e9149140f3af8812a2ce03990"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalset/mysql/options.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50247, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22a52ad0576cc4319bc9b94c6d1842a81e7adaa293b0e4f3f706633baec8b913", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evalset/local/local.go", "duplicate_line": 126, "correlation_key": "fp|22a52ad0576cc4319bc9b94c6d1842a81e7adaa293b0e4f3f706633baec8b913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalset/mysql/mysql.go"}, "region": {"startLine": 229}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50246, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03bc94bead4b9e85d29bd889ad4f2058f33bf8464cb130c19cf5ce89316ff43d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evalresult/mysql/mysql.go", "duplicate_line": 23, "correlation_key": "fp|03bc94bead4b9e85d29bd889ad4f2058f33bf8464cb130c19cf5ce89316ff43d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalset/mysql/mysql.go"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50245, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0146e52bded699430af2f18df0cb6dcd0a0e126d4af0367797601872c2caf92d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evalresult/locator.go", "duplicate_line": 17, "correlation_key": "fp|0146e52bded699430af2f18df0cb6dcd0a0e126d4af0367797601872c2caf92d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalset/locator.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50244, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4e00cb6b917b38b067ecb6d713ba03f524ade36fc192e0745b45cf7216908bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evalresult/local/local.go", "duplicate_line": 135, "correlation_key": "fp|f4e00cb6b917b38b067ecb6d713ba03f524ade36fc192e0745b45cf7216908bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalset/local/local.go"}, "region": {"startLine": 267}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50243, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5936a04b14bf090bdf9ae65bd0ac08fe8ec50a617814209f9c9bc4d25fc17bd4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evalset/inmemory/inmemory.go", "duplicate_line": 70, "correlation_key": "fp|5936a04b14bf090bdf9ae65bd0ac08fe8ec50a617814209f9c9bc4d25fc17bd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalset/local/local.go"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50242, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e748593f63505103b70ea6def422cc1c12e4f3c49fd5b7215d91ed0c405c1862", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evalresult/inmemory/inmemory.go", "duplicate_line": 27, "correlation_key": "fp|e748593f63505103b70ea6def422cc1c12e4f3c49fd5b7215d91ed0c405c1862"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalresult/mysql/mysql.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50241, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b141599405ab4ecac47cf938de8914bd567e466b4a5f886f9a16d5898f1f4db8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evaluation/evalresult/inmemory/inmemory.go", "duplicate_line": 22, "correlation_key": "fp|b141599405ab4ecac47cf938de8914bd567e466b4a5f886f9a16d5898f1f4db8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalresult/local/local.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50240, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14d9032c31258baba02f35f50113b4359f686f1141954c7649975c5280bcead8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "artifact/cos/service.go", "duplicate_line": 58, "correlation_key": "fp|14d9032c31258baba02f35f50113b4359f686f1141954c7649975c5280bcead8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "artifact/s3/service.go"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50239, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6fcac952099fb1128a381fc1330d6a0dde9a78f9713369fb4f2992dbb0ca70dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/llmagent/structure_export.go", "duplicate_line": 79, "correlation_key": "fp|6fcac952099fb1128a381fc1330d6a0dde9a78f9713369fb4f2992dbb0ca70dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/parallelagent/structure_export.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50238, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f88fc327b25e24f360d862b913fc15ee3ceb8e1afeca09183f8d66babbe8d87a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/graphagent/option.go", "duplicate_line": 20, "correlation_key": "fp|f88fc327b25e24f360d862b913fc15ee3ceb8e1afeca09183f8d66babbe8d87a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/llmagent/option.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50237, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46796a75205e67abed00256abdf5e5e96900f093ddecc8aec07ce947d77ee3f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/extension/extension.go", "duplicate_line": 114, "correlation_key": "fp|46796a75205e67abed00256abdf5e5e96900f093ddecc8aec07ce947d77ee3f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/llmagent/extension.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 50211, "scanner": "repobility-threat-engine", "fingerprint": "799662ebe02d33b6da2f8fdf921a5e37494999d2f926f2d1f4fae6e8cf56bfa6", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"You must execute the tool named step_worker exactly \" +\n\t\trequiredCalls + \" times in one run before", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|799662ebe02d33b6da2f8fdf921a5e37494999d2f926f2d1f4fae6e8cf56bfa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/summary/toolcalls/main.go"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 50210, "scanner": "repobility-threat-engine", "fingerprint": "fd61c0c2308cf7856d373ae3409599e4f10605c39c06f0b560c99a0c871b59b9", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"https://huggingface.co/datasets/\"\n        + HF_DATASET\n        + \"/resolve/\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd61c0c2308cf7856d373ae3409599e4f10605c39c06f0b560c99a0c871b59b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/scripts/download_gaia_2023_level1_validation.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 50209, "scanner": "repobility-threat-engine", "fingerprint": "340279260f7d4bf8fa3d3552461534ada7c98892c8e616f6a1829bc2f360c469", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Use parsed_time=\" + pt + \" if relevant.\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|340279260f7d4bf8fa3d3552461534ada7c98892c8e616f6a1829bc2f360c469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/graph/io_conventions/main.go"}, "region": {"startLine": 231}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `calculator` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=3, else=1, except=1, if=2, nested_bonus=1."}, "properties": {"repobilityId": 50196, "scanner": "repobility-threat-engine", "fingerprint": "b99e7d4c992e02109eaf0a6508b3feeec612ff7afa5fb2c99281571792581f9c", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "calculator", "breakdown": {"if": 2, "elif": 3, "else": 1, "except": 1, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|b99e7d4c992e02109eaf0a6508b3feeec612ff7afa5fb2c99281571792581f9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/adk_server.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 50144, "scanner": "repobility-threat-engine", "fingerprint": "29188cd85999578e7ce0dffcca79bce238eb1d13dab9570c38d3a0ed1c9f1b28", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Remove(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29188cd85999578e7ce0dffcca79bce238eb1d13dab9570c38d3a0ed1c9f1b28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codeexecutor/metadata.go"}, "region": {"startLine": 385}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 50143, "scanner": "repobility-threat-engine", "fingerprint": "a21c55d69fc995e75496dbf5aab0c4f364b5922ea0ecc555c091ad84abdb339b", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = sbx.Kill(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a21c55d69fc995e75496dbf5aab0c4f364b5922ea0ecc555c091ad84abdb339b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codeexecutor/e2b/internal/codeinterpreter/example/main.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 50142, "scanner": "repobility-threat-engine", "fingerprint": "aa0278feb886ef81aeb7f5b7fbfc4c785c24a1df3996844a3df61cd2bb99bec1", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.RemoveAll(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa0278feb886ef81aeb7f5b7fbfc4c785c24a1df3996844a3df61cd2bb99bec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check-current-module-sums.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6382, "scanner": "repobility-docker", "fingerprint": "b48699a65510da0abe98d7d85f74b558457e55e90edfa382d41b609b527461c0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b48699a65510da0abe98d7d85f74b558457e55e90edfa382d41b609b527461c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/telemetry/jaeger-prometheus/docker-compose.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6381, "scanner": "repobility-docker", "fingerprint": "fe48968c1439c00de84dfce8fcadc2d6caae8d86a5cee7b2db2dd2733424a659", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fe48968c1439c00de84dfce8fcadc2d6caae8d86a5cee7b2db2dd2733424a659"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/telemetry/jaeger-prometheus/docker-compose.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6380, "scanner": "repobility-docker", "fingerprint": "aa384b65af1cd4ce5532e7c61c2ebf587f074286a57faf45d83c8d5a094f683f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "prometheus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|aa384b65af1cd4ce5532e7c61c2ebf587f074286a57faf45d83c8d5a094f683f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/telemetry/jaeger-prometheus/docker-compose.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6379, "scanner": "repobility-docker", "fingerprint": "2951370887f5b29f76b8b93c43b6408d2d4b4be7e34532946a1229a859f0a5ff", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "prometheus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2951370887f5b29f76b8b93c43b6408d2d4b4be7e34532946a1229a859f0a5ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/telemetry/jaeger-prometheus/docker-compose.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6378, "scanner": "repobility-docker", "fingerprint": "8eda1a506dc8fe5049581a12efe9eb3f190bc27683070ddf3ad0cc63065f856a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8eda1a506dc8fe5049581a12efe9eb3f190bc27683070ddf3ad0cc63065f856a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/telemetry/jaeger-prometheus/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6377, "scanner": "repobility-docker", "fingerprint": "4cb448513f0f5da557ff91d1448b9c10a63c9150e934073088b94e929c370d21", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4cb448513f0f5da557ff91d1448b9c10a63c9150e934073088b94e929c370d21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/telemetry/jaeger-prometheus/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6376, "scanner": "repobility-docker", "fingerprint": "a2b1ed2f73381678e20dde54f8c1d8d32f99c264988466d7db35682e137c3af5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a2b1ed2f73381678e20dde54f8c1d8d32f99c264988466d7db35682e137c3af5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/callbacks/timer/docker-compose.yaml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6375, "scanner": "repobility-docker", "fingerprint": "360e3f6a2c222f09af7830027cafafcc026844a8c35f73d1a6eb7ce63bc9f999", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|360e3f6a2c222f09af7830027cafafcc026844a8c35f73d1a6eb7ce63bc9f999"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/callbacks/timer/docker-compose.yaml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6374, "scanner": "repobility-docker", "fingerprint": "be22e7b4092c33f1bdbc71efe158b06c5da3e7f59b6eb519dc6b65ade5143b3d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "prometheus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|be22e7b4092c33f1bdbc71efe158b06c5da3e7f59b6eb519dc6b65ade5143b3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/callbacks/timer/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6373, "scanner": "repobility-docker", "fingerprint": "09ea59bf63311a4d222b1a9a21e84ef919bfd81c65366edc3b23d625e8418ade", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "prometheus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|09ea59bf63311a4d222b1a9a21e84ef919bfd81c65366edc3b23d625e8418ade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/callbacks/timer/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6372, "scanner": "repobility-docker", "fingerprint": "54ed4aaf64bb2e081b65487cdf25da18b4ab9517e8b0073daca305734a25a8dd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|54ed4aaf64bb2e081b65487cdf25da18b4ab9517e8b0073daca305734a25a8dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/callbacks/timer/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6371, "scanner": "repobility-docker", "fingerprint": "b03fd882c6eb8a60cc5f0024c87ada7d5b1dced4064d96070f33b2e8aa85924c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b03fd882c6eb8a60cc5f0024c87ada7d5b1dced4064d96070f33b2e8aa85924c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/callbacks/timer/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 6361, "scanner": "repobility-threat-engine", "fingerprint": "ada8b9d846d0fab687e7b01384b1ffe6acb870159a06a456904f6afbe6f1ae3f", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = fallbackCounter.CountTokens(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ada8b9d846d0fab687e7b01384b1ffe6acb870159a06a456904f6afbe6f1ae3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/token_tailor.go"}, "region": {"startLine": 704}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 6360, "scanner": "repobility-threat-engine", "fingerprint": "907484fc605606c178c61035db83cf7727c1773ef3f2fc19133d2cf5accc1eb9", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = h.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|907484fc605606c178c61035db83cf7727c1773ef3f2fc19133d2cf5accc1eb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "graph/state_graph.go"}, "region": {"startLine": 883}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 6359, "scanner": "repobility-threat-engine", "fingerprint": "1d8cc63899f697338e64f290fcd739549aac9b7733247294f9ca74b00c153ddb", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = json.Unmarshal(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d8cc63899f697338e64f290fcd739549aac9b7733247294f9ca74b00c153ddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "graph/events.go"}, "region": {"startLine": 1642}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6357, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5734c6c9631c979eee671fada15008e8f62a6ebdc787cad010bbeb425fdcef1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/chainagent/structure_export.go", "duplicate_line": 8, "correlation_key": "fp|d5734c6c9631c979eee671fada15008e8f62a6ebdc787cad010bbeb425fdcef1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/parallelagent/structure_export.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6356, "scanner": "repobility-ai-code-hygiene", "fingerprint": "657742b546186035ad08fe1ad30b2c09d71c06f2849afe87de8dff7cd4df110a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/cycleagent/cycle_agent.go", "duplicate_line": 231, "correlation_key": "fp|657742b546186035ad08fe1ad30b2c09d71c06f2849afe87de8dff7cd4df110a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/parallelagent/parallel_agent.go"}, "region": {"startLine": 165}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6355, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95a3b61013791a742a6d4190b844d005eb20179b6934f24d37680b875ffaf456", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/chainagent/chain_agent.go", "duplicate_line": 272, "correlation_key": "fp|95a3b61013791a742a6d4190b844d005eb20179b6934f24d37680b875ffaf456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/parallelagent/parallel_agent.go"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6354, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d2c56cd1a606ec483d62b5020b9fc7d3ad54ff9f1e60cd0c1928c680276c053", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/graphagent/structure_export.go", "duplicate_line": 169, "correlation_key": "fp|8d2c56cd1a606ec483d62b5020b9fc7d3ad54ff9f1e60cd0c1928c680276c053"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/llmagent/structure_export.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6353, "scanner": "repobility-ai-code-hygiene", "fingerprint": "304423ab415b22fcb853e2e56d42a901a75eae64f5ec2fa440ac433fea108e30", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/chainagent/structure_export.go", "duplicate_line": 28, "correlation_key": "fp|304423ab415b22fcb853e2e56d42a901a75eae64f5ec2fa440ac433fea108e30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/llmagent/structure_export.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6351, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b23a916b947ea4c22cbf08b1fbbfe4e836bd97dae3ad71816d87ebd8ac651e51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/chainagent/chain_agent.go", "duplicate_line": 271, "correlation_key": "fp|b23a916b947ea4c22cbf08b1fbbfe4e836bd97dae3ad71816d87ebd8ac651e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/graphagent/graph_agent.go"}, "region": {"startLine": 528}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6350, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de6f5b3ae646b53587e45d470a116c8826fac3a17a4d6b3ee4d8acd61bee9867", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/a2aagent/a2a_agent.go", "duplicate_line": 519, "correlation_key": "fp|de6f5b3ae646b53587e45d470a116c8826fac3a17a4d6b3ee4d8acd61bee9867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/dify/dify_agent.go"}, "region": {"startLine": 242}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6349, "scanner": "repobility-ai-code-hygiene", "fingerprint": "430124312e4c6c839a5f677a6b20f5b2ab2ce0902ec137257278906eca81187b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/chainagent/structure_export.go", "duplicate_line": 8, "correlation_key": "fp|430124312e4c6c839a5f677a6b20f5b2ab2ce0902ec137257278906eca81187b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/cycleagent/structure_export.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6348, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b9741f690173b0493c8b1c396336ae524813a44be579f1e30856dacb1583c4c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/chainagent/chain_agent.go", "duplicate_line": 37, "correlation_key": "fp|2b9741f690173b0493c8b1c396336ae524813a44be579f1e30856dacb1583c4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/cycleagent/cycle_agent.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC114", "level": "none", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 50232, "scanner": "repobility-threat-engine", "fingerprint": "bd1eb12b4f188f0592c73e146c78e4025b691273a56b6147697cf87ed06defc3", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bd1eb12b4f188f0592c73e146c78e4025b691273a56b6147697cf87ed06defc3"}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 50225, "scanner": "repobility-threat-engine", "fingerprint": "7d91cc26329ed231951c0f57cafd6f2c422e72b1ea54bef6180e6b3a080fa94d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7d91cc26329ed231951c0f57cafd6f2c422e72b1ea54bef6180e6b3a080fa94d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/skills/ocr/scripts/ocr_url.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 50224, "scanner": "repobility-threat-engine", "fingerprint": "e245150f8cee1a6be7aa1c781b70231bd05d07f2163adb1fa495c30edc7f9c0c", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|e245150f8cee1a6be7aa1c781b70231bd05d07f2163adb1fa495c30edc7f9c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/skills/ocr/scripts/ocr_url.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 50223, "scanner": "repobility-threat-engine", "fingerprint": "de61fc9c25b596103674fd28d649c7c7d20f28e666479ac782f0f50103828116", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de61fc9c25b596103674fd28d649c7c7d20f28e666479ac782f0f50103828116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/scripts/download_gaia_2023_level1_validation.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 50222, "scanner": "repobility-threat-engine", "fingerprint": "1787eaa80580ff8585c826db77277a2cfcf067c3d84f9c979bf015858c4f98c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1787eaa80580ff8585c826db77277a2cfcf067c3d84f9c979bf015858c4f98c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/scripts/download_gaia_2023_level1_validation.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 50214, "scanner": "repobility-threat-engine", "fingerprint": "fdd880e12298296fb8cdf6292b8cc94181e82a477372b70a6912a2a549d007da", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fdd880e12298296fb8cdf6292b8cc94181e82a477372b70a6912a2a549d007da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/knowledge/reranker/infinity/deploy_infinity.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 50212, "scanner": "repobility-threat-engine", "fingerprint": "e7893671d70264e2a4ad4723ecd2542e5d962272b42b73d8c10fcf4139e36ec7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7893671d70264e2a4ad4723ecd2542e5d962272b42b73d8c10fcf4139e36ec7"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50208, "scanner": "repobility-threat-engine", "fingerprint": "2dba0dc3dcd5770ddb95eeb1900ee5212fe05b24b6cb55ca81293c00681858d9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2dba0dc3dcd5770ddb95eeb1900ee5212fe05b24b6cb55ca81293c00681858d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/browser-server/src/server.js"}, "region": {"startLine": 261}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50207, "scanner": "repobility-threat-engine", "fingerprint": "46330e5a1115c3fd3b5c6be2a4ef39ebb95cb4f4ac1655c661971f8f35853e81", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46330e5a1115c3fd3b5c6be2a4ef39ebb95cb4f4ac1655c661971f8f35853e81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/browser-server/scripts/smoke-relay.js"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50206, "scanner": "repobility-threat-engine", "fingerprint": "5bbf36fbd08fcab0c1577fd7b28d001186ce35eef80c97685eba837fc1b12c5c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5bbf36fbd08fcab0c1577fd7b28d001186ce35eef80c97685eba837fc1b12c5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agui/messagessnapshot/client/src/index.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50205, "scanner": "repobility-threat-engine", "fingerprint": "686262f11efb80cff440892e299fb162edf33f7b2b6db24b2e4fa03123c40cc4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|686262f11efb80cff440892e299fb162edf33f7b2b6db24b2e4fa03123c40cc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agui/client/tdesign-chat/src/agui/format.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50204, "scanner": "repobility-threat-engine", "fingerprint": "ae43030e4801054ded0010877c30271a6a0bbdfc029cf8e94356431748799e9a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ae43030e4801054ded0010877c30271a6a0bbdfc029cf8e94356431748799e9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agui/client/copilotkit/app/api/copilotkit/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 50203, "scanner": "repobility-threat-engine", "fingerprint": "a148387cf8868a0a501a0bc4faf5159bb0a49e23348499ec3e8aa9b6b27d6d39", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a148387cf8868a0a501a0bc4faf5159bb0a49e23348499ec3e8aa9b6b27d6d39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agui/client/copilotkit/app/api/copilotkit/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC091", "level": "none", "message": {"text": "[SEC091] Go: net/http server without timeouts (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 50202, "scanner": "repobility-threat-engine", "fingerprint": "a3e5cce619119424ea6829e58e7d8af8e15f6998f7dc06e8663cbb4f5c324e3b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a3e5cce619119424ea6829e58e7d8af8e15f6998f7dc06e8663cbb4f5c324e3b"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 50198, "scanner": "repobility-threat-engine", "fingerprint": "49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "logging_event_converter", "breakdown": {"if": 3, "for": 1, "elif": 4, "else": 2, "ternary": 2, "nested_bonus": 17}, "aggregated": true, "complexity": 29, "correlation_key": "fp|49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "aggregated_count": 15}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 50194, "scanner": "repobility-threat-engine", "fingerprint": "ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "aggregated_count": 1}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 50193, "scanner": "repobility-threat-engine", "fingerprint": "cad11536d4b2728efdc9bd14298c15057491dc682a0097a41f2732d289face1d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cad11536d4b2728efdc9bd14298c15057491dc682a0097a41f2732d289face1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/nano-banana-pro/scripts/generate_image.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 50192, "scanner": "repobility-threat-engine", "fingerprint": "61b543e044b4299842f5b109dceb49c3e5f4a6379277bcf4126b5ff080291201", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|61b543e044b4299842f5b109dceb49c3e5f4a6379277bcf4126b5ff080291201"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/adk_server.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 50191, "scanner": "repobility-threat-engine", "fingerprint": "edc8331ec0d37dd4f721bcd30e59864cf33a88f500c0dec106d917415f0c3d06", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|edc8331ec0d37dd4f721bcd30e59864cf33a88f500c0dec106d917415f0c3d06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/adk_codeexec_server.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 50190, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 50189, "scanner": "repobility-threat-engine", "fingerprint": "9f8b2890441e1e6eede7b944256371a2c3ee04f50a8599863254feb9017e0d96", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "print(\"\u26a0\ufe0f  Warning: OPENAI_API_KEY not set\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|print warning: openai_api_key not set"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/adk_server.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 50188, "scanner": "repobility-threat-engine", "fingerprint": "01d7368903cbdce837d256cc875fb03ccd33e4f7d23be0d3f57239d0793e6d1f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "print(\"\u26a0\ufe0f  Warning: OPENAI_API_KEY not set\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|print warning: openai_api_key not set"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/adk_codeexec_server.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 50187, "scanner": "repobility-threat-engine", "fingerprint": "1d97b538bdbee95fa6cf6a016c1b9daa7aaf10d2f5bc030fff20c0203129de62", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1d97b538bdbee95fa6cf6a016c1b9daa7aaf10d2f5bc030fff20c0203129de62", "aggregated_count": 17}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 50186, "scanner": "repobility-threat-engine", "fingerprint": "14c7526381000071fa88d64531361c54e7af27ece7187763e6d6873f5ba8fc84", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14c7526381000071fa88d64531361c54e7af27ece7187763e6d6873f5ba8fc84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/graph/dag_engine/main.go"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 50185, "scanner": "repobility-threat-engine", "fingerprint": "95daeed1b730d7075bb17c832a0bc8ab3a9db48e48eee2b8712d0f665dacb1c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95daeed1b730d7075bb17c832a0bc8ab3a9db48e48eee2b8712d0f665dacb1c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/graph/concurrency_race/main.go"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 50184, "scanner": "repobility-threat-engine", "fingerprint": "644d3df75f07fad98e7e8c2a06107330851fd68145fadfc1343ac8e73fc7bbbe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|644d3df75f07fad98e7e8c2a06107330851fd68145fadfc1343ac8e73fc7bbbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/service/local/pool.go"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 50183, "scanner": "repobility-threat-engine", "fingerprint": "4707ff94c641e1a24252b51d475a328e654d88b051f1ff3d287ea4e85b926297", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4707ff94c641e1a24252b51d475a328e654d88b051f1ff3d287ea4e85b926297"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 50179, "scanner": "repobility-threat-engine", "fingerprint": "67ae2876ec2706c35f8021ea3b84b7e1c181e5b9746eca76b603a45a1bd05d45", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|67ae2876ec2706c35f8021ea3b84b7e1c181e5b9746eca76b603a45a1bd05d45"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 50175, "scanner": "repobility-threat-engine", "fingerprint": "80128a2031d52f7bb51319dfd46528eb8d24184724534537df2f4199a3a19227", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|80128a2031d52f7bb51319dfd46528eb8d24184724534537df2f4199a3a19227", "aggregated_count": 29}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50174, "scanner": "repobility-threat-engine", "fingerprint": "feca9e9f4964b4fb692ba02b1ce9c1c24c3ac65ac5f1c2b0451b357533d1a5a9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|feca9e9f4964b4fb692ba02b1ce9c1c24c3ac65ac5f1c2b0451b357533d1a5a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2amultipath/server/main.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50173, "scanner": "repobility-threat-engine", "fingerprint": "b7488795a5feff5e036e2ca3028039b0e43170dc9860d9526ad6762d28cd823c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7488795a5feff5e036e2ca3028039b0e43170dc9860d9526ad6762d28cd823c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aagent/error_handling/main.go"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50172, "scanner": "repobility-threat-engine", "fingerprint": "e0e47f20f5ccd142375b6b539aa8836604761f5696bea3a8503c5c21e535378c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0e47f20f5ccd142375b6b539aa8836604761f5696bea3a8503c5c21e535378c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codeexecutor/jupyter/jupyter_client.go"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 50171, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 50167, "scanner": "repobility-threat-engine", "fingerprint": "b1ef96ba78e91c575c9008f7732011258bae620e39000f0994fb627e03b434c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b1ef96ba78e91c575c9008f7732011258bae620e39000f0994fb627e03b434c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codeexecutor/e2b/internal/codeinterpreter/client.go"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 50165, "scanner": "repobility-threat-engine", "fingerprint": "4f921e2ef7d5c45b2fe13941113d9a1a2aa530c0071eaefd2a62300eb22726ab", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4f921e2ef7d5c45b2fe13941113d9a1a2aa530c0071eaefd2a62300eb22726ab", "aggregated_count": 33}}}, {"ruleId": "MINED033", "level": "none", "message": {"text": "[MINED033] Go Recover Without Log (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 50161, "scanner": "repobility-threat-engine", "fingerprint": "1d767da94976f80b73b9d9d7aa54f607aa2309ee91453751411d108692dd0554", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1d767da94976f80b73b9d9d7aa54f607aa2309ee91453751411d108692dd0554", "aggregated_count": 13}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 230 more): Same pattern found in 230 additional files. Review if needed."}, "properties": {"repobilityId": 50157, "scanner": "repobility-threat-engine", "fingerprint": "bf04182cc6c3c312ab3cf68778318514947b09c4ed006fe5294745d5cc71f04c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 230 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bf04182cc6c3c312ab3cf68778318514947b09c4ed006fe5294745d5cc71f04c", "aggregated_count": 230}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 50156, "scanner": "repobility-threat-engine", "fingerprint": "d8ea05928129a4b4642e81e52ab69ae3a4b8ceaf38a81b0ae4d317beaff10548", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8ea05928129a4b4642e81e52ab69ae3a4b8ceaf38a81b0ae4d317beaff10548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/llmagent/surface_runtime.go"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 50155, "scanner": "repobility-threat-engine", "fingerprint": "831443d5a64e360d380e984fc2fa16c937dd5cb26720af0b0d4c56678292e904", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|831443d5a64e360d380e984fc2fa16c937dd5cb26720af0b0d4c56678292e904"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/invocationcontext.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 50154, "scanner": "repobility-threat-engine", "fingerprint": "9c48ca259f57d2a7be447ec897f84207de68a1d4e27aa7ce7c2e777f76c2e3e2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c48ca259f57d2a7be447ec897f84207de68a1d4e27aa7ce7c2e777f76c2e3e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/completion_capture.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC093", "level": "none", "message": {"text": "[SEC093] Go: exec.Command with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 50153, "scanner": "repobility-threat-engine", "fingerprint": "a92bfbfe9323f43c175afc257cc6d2f8ab7ffdfc52e91e27c7da2a42a7c6cbc6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a92bfbfe9323f43c175afc257cc6d2f8ab7ffdfc52e91e27c7da2a42a7c6cbc6"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 97 more): Same pattern found in 97 additional files. Review if needed."}, "properties": {"repobilityId": 50149, "scanner": "repobility-threat-engine", "fingerprint": "db26d909e18d7fd57d4213f1c790d2fedc22ef4941c381320d100e2b618b5954", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 97 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 97 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|db26d909e18d7fd57d4213f1c790d2fedc22ef4941c381320d100e2b618b5954"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 63 more): Same pattern found in 63 additional files. Review if needed."}, "properties": {"repobilityId": 50145, "scanner": "repobility-threat-engine", "fingerprint": "9253416bf36ff76053de8e29013398dbac0fd9183a5caa9194c99f866b907490", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 63 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 63 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9253416bf36ff76053de8e29013398dbac0fd9183a5caa9194c99f866b907490"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6369, "scanner": "repobility-threat-engine", "fingerprint": "8626f4ed94f189b60fe72ba89f150a1dc87f56552b8bdd1b7e6d0677a5ecd224", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"  1. Provide --api-key argument\", file=sys.stderr)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|print 1. provide --api-key argument file sys.stderr"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/nano-banana-pro/scripts/generate_image.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6368, "scanner": "repobility-threat-engine", "fingerprint": "25abf38a6659add70832df269feb789d910e9e4d16333189240ae2b805de25c5", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "print(\"Missing OPENAI_API_KEY\", file=sys.stderr)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|17|print missing openai_api_key file sys.stderr"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/openai-image-gen/scripts/gen.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 6367, "scanner": "repobility-threat-engine", "fingerprint": "de1f6c357f9097202ba611bd3df8e128fcfa19ec394d1b9ef0d35c7e6be19a39", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "Password      = \"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|12|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/internal/gateway/stream.go"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6364, "scanner": "repobility-threat-engine", "fingerprint": "e3e2143faab8604d43d48fca6db38dcffaa9b9db71ca1bfd8b7a8878b11490f6", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|115|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/browser-server/src/dom-tools.js"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6363, "scanner": "repobility-threat-engine", "fingerprint": "2871cc0f488dd3e554eb1c14fd51dd937f0e0a46b7023591642e4bb039938b00", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|466|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/browser-extension/background.js"}, "region": {"startLine": 466}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "properties": {"repobilityId": 6362, "scanner": "repobility-threat-engine", "fingerprint": "dbea112cd8e7e367f2ebd85948772b73d4bdbe7f7927e4c2fedd087469b34e3b", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dbea112cd8e7e367f2ebd85948772b73d4bdbe7f7927e4c2fedd087469b34e3b"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50326, "scanner": "repobility-supply-chain", "fingerprint": "b4697c735b1fc3d023ccbfd3a3f71fe49616834789b8473e1a5a5d613ac1a65f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4697c735b1fc3d023ccbfd3a3f71fe49616834789b8473e1a5a5d613ac1a65f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v5`: `uses: codecov/codecov-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50325, "scanner": "repobility-supply-chain", "fingerprint": "8677c49daa0be300dacf615160695cb4c3e3fb8bfa9cab53d556aeb55b59fd41", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8677c49daa0be300dacf615160695cb4c3e3fb8bfa9cab53d556aeb55b59fd41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50324, "scanner": "repobility-supply-chain", "fingerprint": "878af19b9d42c7c7ca245d49e1489152cc494bc6d5c32b99955363478a16480f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|878af19b9d42c7c7ca245d49e1489152cc494bc6d5c32b99955363478a16480f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50323, "scanner": "repobility-supply-chain", "fingerprint": "cae269186ab627062f7ab44c6088a54c75506bc6401806e2b2c030699c8801e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cae269186ab627062f7ab44c6088a54c75506bc6401806e2b2c030699c8801e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50322, "scanner": "repobility-supply-chain", "fingerprint": "1ae29d56cb2835ec8279b105514ccae6d083debef6d71c0fbc8f7ef9a6e6c885", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ae29d56cb2835ec8279b105514ccae6d083debef6d71c0fbc8f7ef9a6e6c885"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50321, "scanner": "repobility-supply-chain", "fingerprint": "ffcdacfa6efd45a29f3c5b82c7917ffb547bbefee0078fc82fad1532ec8abfbf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffcdacfa6efd45a29f3c5b82c7917ffb547bbefee0078fc82fad1532ec8abfbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50320, "scanner": "repobility-supply-chain", "fingerprint": "cc70fd4c4e70b3f2ec3205559447e712c9f98c0ae75fa26e421fb52043843ee6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc70fd4c4e70b3f2ec3205559447e712c9f98c0ae75fa26e421fb52043843ee6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50319, "scanner": "repobility-supply-chain", "fingerprint": "d4aad255f4cdcf4f47fd79c4081a2d1911a7e2288179300a4e24fa9d412b9e28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4aad255f4cdcf4f47fd79c4081a2d1911a7e2288179300a4e24fa9d412b9e28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50318, "scanner": "repobility-supply-chain", "fingerprint": "bc9e7b2e62f559dd6f0a0a83a4ffdd24e69a532e577258244974b2b5aba97637", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc9e7b2e62f559dd6f0a0a83a4ffdd24e69a532e577258244974b2b5aba97637"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50317, "scanner": "repobility-supply-chain", "fingerprint": "3c218322cd9982c8ae7906e35162c17f5e0e9dae2cdb5293a1f60c94e6bdd1e1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c218322cd9982c8ae7906e35162c17f5e0e9dae2cdb5293a1f60c94e6bdd1e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50316, "scanner": "repobility-supply-chain", "fingerprint": "e3f23cd04e6f966c874db54b347630703cdb404a284052ee1a9fd647520e6c82", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3f23cd04e6f966c874db54b347630703cdb404a284052ee1a9fd647520e6c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50315, "scanner": "repobility-supply-chain", "fingerprint": "5ac52eef6571013b772689eacb7879d8aea5102be442233888c9a788b8abf087", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ac52eef6571013b772689eacb7879d8aea5102be442233888c9a788b8abf087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50314, "scanner": "repobility-supply-chain", "fingerprint": "4a8ec2722d4fe7b9167d90aa41748e5add42f65e18b8492ae9c601b408a21199", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a8ec2722d4fe7b9167d90aa41748e5add42f65e18b8492ae9c601b408a21199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50313, "scanner": "repobility-supply-chain", "fingerprint": "75a67aa7f7f91babb206647939e8e5325e4387230d1ab8def897902d600eb7d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75a67aa7f7f91babb206647939e8e5325e4387230d1ab8def897902d600eb7d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/module-sum-check.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50312, "scanner": "repobility-supply-chain", "fingerprint": "a63f9ad1d7dc951b93a7148042f58f78283c41191acadceef05718747f2e46ed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a63f9ad1d7dc951b93a7148042f58f78283c41191acadceef05718747f2e46ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/module-sum-check.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50311, "scanner": "repobility-supply-chain", "fingerprint": "1d51efef2f561bebd5526570b08125097f7161cc2cc1f8e86cb500a78481e15c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d51efef2f561bebd5526570b08125097f7161cc2cc1f8e86cb500a78481e15c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/openclaw-release.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50310, "scanner": "repobility-supply-chain", "fingerprint": "5cfb4c2e182ac6a30864b3ab8575ba0d35d0b4ebb7328276084d11e4ad2288fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5cfb4c2e182ac6a30864b3ab8575ba0d35d0b4ebb7328276084d11e4ad2288fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/openclaw-release.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50309, "scanner": "repobility-supply-chain", "fingerprint": "7c37d8db8af2371f7df9a32f8eabea80e7322e4c0e6cb89126a8d5c5892f514c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c37d8db8af2371f7df9a32f8eabea80e7322e4c0e6cb89126a8d5c5892f514c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/openclaw-release.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50308, "scanner": "repobility-supply-chain", "fingerprint": "9b859e2114a6a58f003d55422766913574c92f44ee48810aecf05181848efb54", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b859e2114a6a58f003d55422766913574c92f44ee48810aecf05181848efb54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/openclaw-release.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50307, "scanner": "repobility-supply-chain", "fingerprint": "7406692716da2f51849d46da7dc5695692012e5a36e4d807316669983b882f35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7406692716da2f51849d46da7dc5695692012e5a36e4d807316669983b882f35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/openclaw-release.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50306, "scanner": "repobility-supply-chain", "fingerprint": "60b05d54245bdd76747da262143facde918c882c759ffd0d064f6a6fb2099fb8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|60b05d54245bdd76747da262143facde918c882c759ffd0d064f6a6fb2099fb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/openclaw-release.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v3`: `uses: peaceiris/actions-gh-pages@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50305, "scanner": "repobility-supply-chain", "fingerprint": "6e832da7f02352efeaddc7885793dc8c831f8fbe9cfdfb2e29bc66885add40af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e832da7f02352efeaddc7885793dc8c831f8fbe9cfdfb2e29bc66885add40af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v4`: `uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50304, "scanner": "repobility-supply-chain", "fingerprint": "8a7538734a29e91f4a3581b9444ada306a8d81291f39819143149993ac18429b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a7538734a29e91f4a3581b9444ada306a8d81291f39819143149993ac18429b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50303, "scanner": "repobility-supply-chain", "fingerprint": "0239551ee2fdfda7ef0e9545f61dbd35bb2dda246d2806a3f5203ca39428e555", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0239551ee2fdfda7ef0e9545f61dbd35bb2dda246d2806a3f5203ca39428e555"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `contributor-assistant/github-action` pinned to mutable ref `@v2.6.1`: `uses: contributor-assistant/github-action@v2.6.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50302, "scanner": "repobility-supply-chain", "fingerprint": "7f85bcffd5ed68b5f8c32fc9b5d50814379ac0232d23e718e28f7fcc20a427b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7f85bcffd5ed68b5f8c32fc9b5d50814379ac0232d23e718e28f7fcc20a427b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cla.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50299, "scanner": "repobility-supply-chain", "fingerprint": "bcbbcc98e03e62e077bc3920739e24f6f08d3a82b675e26604f9e1323ef0248e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bcbbcc98e03e62e077bc3920739e24f6f08d3a82b675e26604f9e1323ef0248e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/skill/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50298, "scanner": "repobility-supply-chain", "fingerprint": "0f6fd3c5c28c416136e0956f51e8fd9231810aa8d0fface7063e51642aea9458", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f6fd3c5c28c416136e0956f51e8fd9231810aa8d0fface7063e51642aea9458"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/tailor/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50297, "scanner": "repobility-supply-chain", "fingerprint": "67b157297fb5d87ad401d6fb61eca2043352a29c547dc4c2e02b2bf9c10b4074", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67b157297fb5d87ad401d6fb61eca2043352a29c547dc4c2e02b2bf9c10b4074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/session/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50296, "scanner": "repobility-supply-chain", "fingerprint": "863c5087ca7bc4d969463a887477b7656a01dd549721d1237337f2751d2858d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|863c5087ca7bc4d969463a887477b7656a01dd549721d1237337f2751d2858d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2ui/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50295, "scanner": "repobility-supply-chain", "fingerprint": "056bdbebd7d6ad23a810b8f9f0eec5cd79f56fe8822e7ebab5490b905a10d004", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|056bdbebd7d6ad23a810b8f9f0eec5cd79f56fe8822e7ebab5490b905a10d004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/graph/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50294, "scanner": "repobility-supply-chain", "fingerprint": "053256e05f64c23b2c62e7ac019f5c980f1525112da7749618a356246d9ec079", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|053256e05f64c23b2c62e7ac019f5c980f1525112da7749618a356246d9ec079"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/knowledge/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50293, "scanner": "repobility-supply-chain", "fingerprint": "654f1f6befc575a1467168fa8230457a94400dc2adade755ad992957c0cd2a1f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|654f1f6befc575a1467168fa8230457a94400dc2adade755ad992957c0cd2a1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "memory/mysqlvec/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50292, "scanner": "repobility-supply-chain", "fingerprint": "8ab6813a3995da90c59d472c9c7e7d6b0c87a96fde698b09e132713dd96ac955", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ab6813a3995da90c59d472c9c7e7d6b0c87a96fde698b09e132713dd96ac955"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "memory/sqlitevec/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50291, "scanner": "repobility-supply-chain", "fingerprint": "7426650b50bb8457e23338b529131f67e89c0361bd7ee92718ddcb0c5b1126f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7426650b50bb8457e23338b529131f67e89c0361bd7ee92718ddcb0c5b1126f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "memory/mysql/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50290, "scanner": "repobility-supply-chain", "fingerprint": "809e953acd5e638a481a07a345e2eb870e81b3746db199949e3411e0562d3125", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|809e953acd5e638a481a07a345e2eb870e81b3746db199949e3411e0562d3125"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "memory/pgvector/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50289, "scanner": "repobility-supply-chain", "fingerprint": "6321fa0932f216884b070bb11af4014a98d4ef3b323b72414170641871ab18b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6321fa0932f216884b070bb11af4014a98d4ef3b323b72414170641871ab18b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "memory/redis/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50288, "scanner": "repobility-supply-chain", "fingerprint": "94cb6dc7a1166655f766879c7572ee59d9e64be4919ce8201e6df022d1a66a79", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94cb6dc7a1166655f766879c7572ee59d9e64be4919ce8201e6df022d1a66a79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "memory/postgres/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50287, "scanner": "repobility-supply-chain", "fingerprint": "0bc81893d56e607d3e310ffa0f2f4078fad7e1170ae51be4a61bedabbb3e77c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0bc81893d56e607d3e310ffa0f2f4078fad7e1170ae51be4a61bedabbb3e77c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "memory/sqlite/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50286, "scanner": "repobility-supply-chain", "fingerprint": "123e1468432c8384ff5019093685c5d8957750ef6a66a17acb8974ca4daa9b98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|123e1468432c8384ff5019093685c5d8957750ef6a66a17acb8974ca4daa9b98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codeexecutor/container/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50285, "scanner": "repobility-supply-chain", "fingerprint": "8e69aad9fd96c7602dc10bded31fb20dfa1a34d3d9383608e7cc72aafae522cb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e69aad9fd96c7602dc10bded31fb20dfa1a34d3d9383608e7cc72aafae522cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codeexecutor/jupyter/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../../../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50284, "scanner": "repobility-supply-chain", "fingerprint": "079120d1cd1bc6cbce6454024d36d6472ccfba2c1a5952559cc5a73922978887", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|079120d1cd1bc6cbce6454024d36d6472ccfba2c1a5952559cc5a73922978887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/extension/toolpipe/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50283, "scanner": "repobility-supply-chain", "fingerprint": "81a16812ac0cb6798d22728a4a8c7b14078f545ebc17a36d89084ad9ba28c9fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81a16812ac0cb6798d22728a4a8c7b14078f545ebc17a36d89084ad9ba28c9fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/weknora/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50282, "scanner": "repobility-supply-chain", "fingerprint": "d2f9992441fbe26e484e6b0e876241759d14d7ca122b7bd7781119d1be34f216", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2f9992441fbe26e484e6b0e876241759d14d7ca122b7bd7781119d1be34f216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/n8n/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50281, "scanner": "repobility-supply-chain", "fingerprint": "30028d930bb971f2cb37fb679bad0ddb6ee0cba581b62822c76d1341043a469e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|30028d930bb971f2cb37fb679bad0ddb6ee0cba581b62822c76d1341043a469e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/dify/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go/knowledge/vectorstore/elasticsearch` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go/knowledge/vectorstore/elasticsearch => ../knowledge/vectorstore/elasticsearch` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50280, "scanner": "repobility-supply-chain", "fingerprint": "211927a989943a29b8e3fdc3ff65c5ba47bd9b4f7804ff4e14ce3833d7e96103", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|211927a989943a29b8e3fdc3ff65c5ba47bd9b4f7804ff4e14ce3833d7e96103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/go.mod"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50279, "scanner": "repobility-supply-chain", "fingerprint": "384165f77c6db41db771796bd1cc44a560f59fe863755c0ccad4e38fed311e01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|384165f77c6db41db771796bd1cc44a560f59fe863755c0ccad4e38fed311e01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go/server/agui` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go/server/agui => ../server/agui` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50278, "scanner": "repobility-supply-chain", "fingerprint": "33eb77bec078d693d7065bf413b824c1e76c2c8209ce9db29c719818f9d9db2d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33eb77bec078d693d7065bf413b824c1e76c2c8209ce9db29c719818f9d9db2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/go.mod"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` \u2014 points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50277, "scanner": "repobility-supply-chain", "fingerprint": "3add337e17f71929c452b0b409e2ba7eded40fef4286a895d55fc69943c60cae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3add337e17f71929c452b0b409e2ba7eded40fef4286a895d55fc69943c60cae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/go.mod"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50276, "scanner": "repobility-supply-chain", "fingerprint": "5b68ab6c23a5ce436f5d73641a56396f16b8aeb2474ac0a9726ae055fde3e392", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b68ab6c23a5ce436f5d73641a56396f16b8aeb2474ac0a9726ae055fde3e392"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 50275, "scanner": "repobility-supply-chain", "fingerprint": "8f7f75cac594969a1ffb2481b1ba6519c49c7ae40b102cda9f62e505c79c9d0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f7f75cac594969a1ffb2481b1ba6519c49c7ae40b102cda9f62e505c79c9d0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /rerank has no auth: Handler `rerank` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50274, "scanner": "repobility-route-auth", "fingerprint": "12c399192df4016517ba34f78b98b1f9b583b54fcafabb395b3d250e95be7eb2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|12c399192df4016517ba34f78b98b1f9b583b54fcafabb395b3d250e95be7eb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/knowledge/reranker/infinity/deploy_infinity.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 50236, "scanner": "repobility-threat-engine", "fingerprint": "17d94e4b8da331a96f58cd46f7c6d4a37648a634fed7e316b0df7f9b534923c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17d94e4b8da331a96f58cd46f7c6d4a37648a634fed7e316b0df7f9b534923c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/model-usage/scripts/model_usage.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50234, "scanner": "repobility-threat-engine", "fingerprint": "45998d9f318d65f5938ac1784a819b12d556e731c20d2d7bc1a5147e20432f36", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((tab) => `${tab.targetId} ${tab.title} ${tab.url}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|45998d9f318d65f5938ac1784a819b12d556e731c20d2d7bc1a5147e20432f36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/browser-extension/popup.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 50233, "scanner": "repobility-threat-engine", "fingerprint": "3ea2bde3eb6765d66a00f443666bbd74c933aaa1f7f6b6eaccda1292f815fa0a", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(input.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ea2bde3eb6765d66a00f443666bbd74c933aaa1f7f6b6eaccda1292f815fa0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/toolretry/runner.go"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 50231, "scanner": "repobility-threat-engine", "fingerprint": "c04a5f9ad3ef42779ede24d1e5666974da25f14a2c1ae835bae8a6a5b3b77900", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.Join(dir, input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|119|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/internal/channel/telegram/audio_input.go"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 50230, "scanner": "repobility-threat-engine", "fingerprint": "fcdd2e71aefc53b66e58173b043e0f643eedc0dae79a017224d84606218e253a", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.Join(codeexecutor.DirWork, \"input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|242|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/workspaceinput/stager.go"}, "region": {"startLine": 242}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 50229, "scanner": "repobility-threat-engine", "fingerprint": "e762611dd1be92ac858fd4efa889eb9fddae1b68a3d3ab0490524bacb3aee80d", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.Join(base, skillDirInput", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|310|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/skillstage/stager.go"}, "region": {"startLine": 310}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 50228, "scanner": "repobility-threat-engine", "fingerprint": "cb0ce9f52ed54571c38b0a16fee0f2c69e75ded008875812c112b61277a9aafe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb0ce9f52ed54571c38b0a16fee0f2c69e75ded008875812c112b61277a9aafe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge/source/source.go"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 50227, "scanner": "repobility-threat-engine", "fingerprint": "6d11f0fd17b0531de2e1f2f733b14913154b5a0f4157d06eede83a96e981843f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d11f0fd17b0531de2e1f2f733b14913154b5a0f4157d06eede83a96e981843f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge/source/repo/graph_source.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 50226, "scanner": "repobility-threat-engine", "fingerprint": "3841af6dad9755b7a2206a7a40126cc09fd84ea437d7167df18f0ef4b3030eff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3841af6dad9755b7a2206a7a40126cc09fd84ea437d7167df18f0ef4b3030eff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/tool/codeexec/main.go"}, "region": {"startLine": 372}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 50221, "scanner": "repobility-threat-engine", "fingerprint": "193816038bdf3fc8fe3b6e63dac51d159809007f0542153a638f0306ee5206fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|193816038bdf3fc8fe3b6e63dac51d159809007f0542153a638f0306ee5206fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/agui/service/sse/sse.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 50220, "scanner": "repobility-threat-engine", "fingerprint": "4cf3f1f3a56c3042da99f824b3101f983a9d9e8edd8466e8269555330d1cbe65", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4cf3f1f3a56c3042da99f824b3101f983a9d9e8edd8466e8269555330d1cbe65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/a2a/agent_card.go"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 50219, "scanner": "repobility-threat-engine", "fingerprint": "a103edfd4e64a3a371ac1f089c0aa5c872fd1258c06db05256b7311171f71c46", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a103edfd4e64a3a371ac1f089c0aa5c872fd1258c06db05256b7311171f71c46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/openapitool/mockserver/main.go"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 50213, "scanner": "repobility-threat-engine", "fingerprint": "97a691583b340f65587e40d772e4234e81efa559b7ec3067c695dee9c4f4ba90", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/rerank\", response_model=RerankResponse)\nasync def rerank(request: RerankRequest)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|97a691583b340f65587e40d772e4234e81efa559b7ec3067c695dee9c4f4ba90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/knowledge/reranker/infinity/deploy_infinity.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `logging_event_converter` has cognitive complexity 29 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=4, else=2, for=1, if=3, nested_bonus=17, ternary=2."}, "properties": {"repobilityId": 50195, "scanner": "repobility-threat-engine", "fingerprint": "15cb350aaafdadf7efe7267422a954c6bb0f0e79f981982f7ec1e02efbf1fc7d", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 29 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "logging_event_converter", "breakdown": {"if": 3, "for": 1, "elif": 4, "else": 2, "ternary": 2, "nested_bonus": 17}, "complexity": 29, "correlation_key": "fp|15cb350aaafdadf7efe7267422a954c6bb0f0e79f981982f7ec1e02efbf1fc7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2aadk/adk/adk_codeexec_server.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50182, "scanner": "repobility-threat-engine", "fingerprint": "20e916c3213afa4c9b77bf66a9a9586eedbd77cfa1794d924498fae6e48460a0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20e916c3213afa4c9b77bf66a9a9586eedbd77cfa1794d924498fae6e48460a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/metric/mysql/mysql.go"}, "region": {"startLine": 145}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50181, "scanner": "repobility-threat-engine", "fingerprint": "4744baeb1bcd58d03df588767d0405db1028368449fcc0c8b6515664a1a44746", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4744baeb1bcd58d03df588767d0405db1028368449fcc0c8b6515664a1a44746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/internal/mysqldb/schema.go"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50180, "scanner": "repobility-threat-engine", "fingerprint": "426d2cac7271e4d3db334fc86726713dfc972ef2a79682155242027fbc68d677", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|426d2cac7271e4d3db334fc86726713dfc972ef2a79682155242027fbc68d677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalresult/mysql/mysql.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50170, "scanner": "repobility-threat-engine", "fingerprint": "00d04c14301510a7d6911eef6e8cc1e8eb6a707534c2c421c3c1caa8d97102f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "langfuseOutputs.Delete(traceID)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00d04c14301510a7d6911eef6e8cc1e8eb6a707534c2c421c3c1caa8d97102f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agui/server/langfuse/main.go"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50169, "scanner": "repobility-threat-engine", "fingerprint": "5b34f145f8a5f4b1cbb518bdf22cbd7c5c4baadc245b452a153836506726c4f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "r.accumulators.Delete(requestID)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5b34f145f8a5f4b1cbb518bdf22cbd7c5c4baadc245b452a153836506726c4f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/evalset/recorder/recorder.go"}, "region": {"startLine": 121}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50168, "scanner": "repobility-threat-engine", "fingerprint": "96bae54a261a6d3dc2c36fc51a3384364f931fb66ef555dc3e6bba028290c73b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "image.save(\"test.png\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|96bae54a261a6d3dc2c36fc51a3384364f931fb66ef555dc3e6bba028290c73b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codeexecutor/e2b/internal/codeinterpreter/example/main.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 50164, "scanner": "repobility-threat-engine", "fingerprint": "d61635ae3c38a68854b73307ff35a5c0a40abedd0a38c2c11e02381ffb588021", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d61635ae3c38a68854b73307ff35a5c0a40abedd0a38c2c11e02381ffb588021"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/metric/criterion/json/json.go"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 50163, "scanner": "repobility-threat-engine", "fingerprint": "5a30f83e21d882d356a2ef043f7706b87725a9a59e7a10b166f5f937a91a409d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a30f83e21d882d356a2ef043f7706b87725a9a59e7a10b166f5f937a91a409d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/internal/rouge/scorer.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 50162, "scanner": "repobility-threat-engine", "fingerprint": "edc4a223856581ed8217e028d9dac0fbfbdf3b8ba8473f8a10947a1fff0ed684", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|edc4a223856581ed8217e028d9dac0fbfbdf3b8ba8473f8a10947a1fff0ed684"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "artifact/cos/client.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 50160, "scanner": "repobility-threat-engine", "fingerprint": "7f126a807457ef4b02d5b97b022f86c329d32b945033ef002936e8d9c49ae6f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f126a807457ef4b02d5b97b022f86c329d32b945033ef002936e8d9c49ae6f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "graph/emitter.go"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 50159, "scanner": "repobility-threat-engine", "fingerprint": "65f89be5c5a817c63855eeb4f707ad242e76249e681e9988d3c0c2b756323ea0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65f89be5c5a817c63855eeb4f707ad242e76249e681e9988d3c0c2b756323ea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/internal/callback/callbacks.go"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 50158, "scanner": "repobility-threat-engine", "fingerprint": "ac1ea7fad1ed88f4ba67965d22b580e2529b9d90c236b3a50f2b80eea6e98528", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ac1ea7fad1ed88f4ba67965d22b580e2529b9d90c236b3a50f2b80eea6e98528"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/extension/extension.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 50152, "scanner": "repobility-threat-engine", "fingerprint": "b87cd2e52439a9748cb128ae2d3eedadf9303cec07fa2a8319e41d18bd375459", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(\n\t\tctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b87cd2e52439a9748cb128ae2d3eedadf9303cec07fa2a8319e41d18bd375459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/internal/channel/telegram/audio_input.go"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 50151, "scanner": "repobility-threat-engine", "fingerprint": "d15b45a28f8061dae108f11d734916d70ba20d5aa71287f0b2ecb3bd07a22d01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d15b45a28f8061dae108f11d734916d70ba20d5aa71287f0b2ecb3bd07a22d01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "graph/visualize.go"}, "region": {"startLine": 323}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 50150, "scanner": "repobility-threat-engine", "fingerprint": "f54a09d348d3499504c99972d3aa4f96aa16e680e08306b7b329c180fc72f83b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f54a09d348d3499504c99972d3aa4f96aa16e680e08306b7b329c180fc72f83b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/claudecode/command.go"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50148, "scanner": "repobility-threat-engine", "fingerprint": "32ba3a6f3759840c9da98787643fc7b039736bd79bf3607a7309d9ac99ce185b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|32ba3a6f3759840c9da98787643fc7b039736bd79bf3607a7309d9ac99ce185b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/n8n/n8n_agent_option.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50147, "scanner": "repobility-threat-engine", "fingerprint": "c4afc13ab528838575de166f79f02460aa628d6b5a62deb3feff1cee09012acd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c4afc13ab528838575de166f79f02460aa628d6b5a62deb3feff1cee09012acd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/dify/dify_agent_option.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50146, "scanner": "repobility-threat-engine", "fingerprint": "db99c5a354ce275691d3e0e9136d881bd88290a7d6f0f4384dcf7006be613898", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|db99c5a354ce275691d3e0e9136d881bd88290a7d6f0f4384dcf7006be613898"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/a2aagent/a2a_agent_option.go"}, "region": {"startLine": 219}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 6370, "scanner": "repobility-threat-engine", "fingerprint": "a17dcf49815ca3a5232957c947d43cd0b41c01e91c1c7cb2ea952caa2c20affd", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|83|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openclaw/skills/model-usage/scripts/model_usage.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50327, "scanner": "repobility-supply-chain", "fingerprint": "8d15bea29c03309bc29ee58aefa106ff03e1273c6568711c15c8122999592c75", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d15bea29c03309bc29ee58aefa106ff03e1273c6568711c15c8122999592c75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prc.yml"}, "region": {"startLine": 145}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 50215, "scanner": "repobility-threat-engine", "fingerprint": "7965ee11e6c13b484738a9262440785f5fd4b41ddaec39fad10d12b0d939ec73", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "postgres://%s:%s@", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "secret|token|7|postgres:// s: s"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/knowledge/vectorstores/postgres/main.go"}, "region": {"startLine": 78}}}]}]}]}