{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-3pv8-6f4r-ffg2", "name": "tar: GHSA-3pv8-6f4r-ffg2", "shortDescription": {"text": "tar: GHSA-3pv8-6f4r-ffg2"}, "fullDescription": {"text": "tar has a PAX header desynchronization issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-phqj-4mhp-q6mq", "name": "openssl: GHSA-phqj-4mhp-q6mq", "shortDescription": {"text": "openssl: GHSA-phqj-4mhp-q6mq"}, "fullDescription": {"text": "rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "When dependency installation comes after COPY ., any source change invalidates the dependency layer and makes Docker rebuild much more slowly."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `shiki` is 1 major version(s) behind (^3.7.0 -> 4.2.0)", "shortDescription": {"text": "npm package `shiki` is 1 major version(s) behind (^3.7.0 -> 4.2.0)"}, "fullDescription": {"text": "`shiki` is pinned/resolved at ^3.7.0 but the latest stable release on the npm registry is 4.2.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 52 more): Same pattern found in 52 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0320", "name": "yaml-rust: RUSTSEC-2024-0320", "shortDescription": {"text": "yaml-rust: RUSTSEC-2024-0320"}, "fullDescription": {"text": "yaml-rust is unmaintained."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0009", "name": "time: RUSTSEC-2026-0009", "shortDescription": {"text": "time: RUSTSEC-2026-0009"}, "fullDescription": {"text": "Denial of Service via Stack Exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0436", "name": "paste: RUSTSEC-2024-0436", "shortDescription": {"text": "paste: RUSTSEC-2024-0436"}, "fullDescription": {"text": "paste - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0141", "name": "bincode: RUSTSEC-2025-0141", "shortDescription": {"text": "bincode: RUSTSEC-2025-0141"}, "fullDescription": {"text": "Bincode is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `alpine:latest` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `alpine:latest` not pinned by digest"}, "fullDescription": {"text": "`FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/927"}, "properties": {"repository": "typst/typst", "repoUrl": "https://github.com/typst/typst", "branch": "main"}, "results": [{"ruleId": "GHSA-3pv8-6f4r-ffg2", "level": "warning", "message": {"text": "tar: GHSA-3pv8-6f4r-ffg2"}, "properties": {"repobilityId": 86934, "scanner": "osv-scanner", "fingerprint": "9cd1204918222b95ec0d08856c831b55ba7644607d596b5a5ad4ea9f50231490", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "tar", "rule_id": "GHSA-3pv8-6f4r-ffg2", "scanner": "osv-scanner", "correlation_key": "vuln|tar|GHSA-3PV8-6F4R-FFG2|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-phqj-4mhp-q6mq", "level": "warning", "message": {"text": "openssl: GHSA-phqj-4mhp-q6mq"}, "properties": {"repobilityId": 86932, "scanner": "osv-scanner", "fingerprint": "e7d9444dd05c6f7db70b4bbdd19e857b94c64c61212cc0633fa15cbc0de69929", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45784"], "package": "openssl", "rule_id": "GHSA-phqj-4mhp-q6mq", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-45784|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 86930, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86929, "scanner": "repobility-docker", "fingerprint": "feb548057a256076c3b022fd93e70f4d97d8bc5100bf34647720559db7630416", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|feb548057a256076c3b022fd93e70f4d97d8bc5100bf34647720559db7630416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 86928, "scanner": "repobility-docker", "fingerprint": "a0d0f6c79a35ab37fd8760312697092d731d3be23ffc53d52fb3fe7d5281e6f9", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 7 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 7, "correlation_key": "fp|a0d0f6c79a35ab37fd8760312697092d731d3be23ffc53d52fb3fe7d5281e6f9", "dependency_install_line": 9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 86927, "scanner": "repobility-docker", "fingerprint": "a5ca537e5592ea2ef92f4049c09f00a9f04ba65e330a6c1e2e8497711574c3f1", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a5ca537e5592ea2ef92f4049c09f00a9f04ba65e330a6c1e2e8497711574c3f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 86925, "scanner": "repobility-docker", "fingerprint": "a70ec62f28e07c2d70cdf540496294baa3996f5ce6f8d4f441db285f2b05e631", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "tonistiigi/xx", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a70ec62f28e07c2d70cdf540496294baa3996f5ce6f8d4f441db285f2b05e631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86905, "scanner": "repobility-threat-engine", "fingerprint": "66c830a4d1db31e0874292c58e2150dbd63423dc0f93ef34e2cfdf40e360a970", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|12|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-eval/src/binding.rs"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86904, "scanner": "repobility-threat-engine", "fingerprint": "3861ec3b3973e77e3224e6a11c24e4713e16353da3662ba3c7a90b4641b8c01f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ":Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|75|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-cli/src/main.rs"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86903, "scanner": "repobility-threat-engine", "fingerprint": "243cfb5c0f5546c4a8a02b22f1bc1893a8ee92c7d9306424b442b74348585660", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|18|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-cli/src/eval.rs"}, "region": {"startLine": 18}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `shiki` is 1 major version(s) behind (^3.7.0 -> 4.2.0)"}, "properties": {"repobilityId": 86895, "scanner": "repobility-dependency-currency", "fingerprint": "bec373fb7816c8a84739ebc56707a1032cea17f508f4525568df80c18013862b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shiki", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.0", "correlation_key": "fp|bec373fb7816c8a84739ebc56707a1032cea17f508f4525568df80c18013862b", "current_version": "^3.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/test-helper/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (^1.101.0 -> 1.120.0)"}, "properties": {"repobilityId": 86896, "scanner": "repobility-dependency-currency", "fingerprint": "21ea549cdfd74084c4c4d7cba9c8da57f981c2e9cb56b7561ff5bbcb34c8da95", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|21ea549cdfd74084c4c4d7cba9c8da57f981c2e9cb56b7561ff5bbcb34c8da95", "current_version": "^1.101.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/test-helper/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86893, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72043a864467410d62754d2f9086f3a175ab5e4b89178a302ded3a0fcb502245", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-ide/src/tests.rs", "duplicate_line": 52, "correlation_key": "fp|72043a864467410d62754d2f9086f3a175ab5e4b89178a302ded3a0fcb502245"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/src/world.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86892, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6864be9e03ad4436adfbaaf480aed145d05c3bca619eff022c0ee9679954837c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-svg/src/image.rs", "duplicate_line": 135, "correlation_key": "fp|6864be9e03ad4436adfbaaf480aed145d05c3bca619eff022c0ee9679954837c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/src/output.rs"}, "region": {"startLine": 225}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86891, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8f44d65c8a342cc1d18485f31d3671a6cea42e9117572311b6a0e26904a1db3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-render/src/image.rs", "duplicate_line": 91, "correlation_key": "fp|f8f44d65c8a342cc1d18485f31d3671a6cea42e9117572311b6a0e26904a1db3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/src/output.rs"}, "region": {"startLine": 208}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86890, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c95b84657ee0a9162a19fabdc448909eef0a987faac9eb5eed5a533371edab0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-render/src/image.rs", "duplicate_line": 91, "correlation_key": "fp|5c95b84657ee0a9162a19fabdc448909eef0a987faac9eb5eed5a533371edab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-svg/src/image.rs"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86889, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96e8da5f86bdfc3d58eb37b0aaa6ce21714ab32f70e5205e71063dc1e5f3f168", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-cli/src/args.rs", "duplicate_line": 273, "correlation_key": "fp|96e8da5f86bdfc3d58eb37b0aaa6ce21714ab32f70e5205e71063dc1e5f3f168"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-pdf/src/lib.rs"}, "region": {"startLine": 198}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86888, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e16ff51bd2279478f8dc08522a5282a200d11391bf1571ed54cd81b0bc75c51a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-library/src/math/mod.rs", "duplicate_line": 125, "correlation_key": "fp|e16ff51bd2279478f8dc08522a5282a200d11391bf1571ed54cd81b0bc75c51a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-library/src/text/mod.rs"}, "region": {"startLine": 263}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86887, "scanner": "repobility-ai-code-hygiene", "fingerprint": "539b3b6e12f6a32f11f6e11998a766512aa1533dfebb40c8058a1ef71b0994b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-library/src/layout/grid/mod.rs", "duplicate_line": 21, "correlation_key": "fp|539b3b6e12f6a32f11f6e11998a766512aa1533dfebb40c8058a1ef71b0994b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-library/src/model/table.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86886, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1013d424b98c2292ff3b5a1ef6528ea71358068a3f707dbf3f18cc662fb55f50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-library/src/layout/fr.rs", "duplicate_line": 10, "correlation_key": "fp|1013d424b98c2292ff3b5a1ef6528ea71358068a3f707dbf3f18cc662fb55f50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-library/src/layout/ratio.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86885, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a978b54ceae044ffca74021218ac05afa73021a68d71355d1d5ddaf9a6462799", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-html/src/introspect.rs", "duplicate_line": 58, "correlation_key": "fp|a978b54ceae044ffca74021218ac05afa73021a68d71355d1d5ddaf9a6462799"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-layout/src/introspect.rs"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86884, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4cca0f6db997a6b9d16d610f634c3de9e1c5d63128aba7d90820452accd20051", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-bundle/src/introspect.rs", "duplicate_line": 54, "correlation_key": "fp|4cca0f6db997a6b9d16d610f634c3de9e1c5d63128aba7d90820452accd20051"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-layout/src/introspect.rs"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86883, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c74ef8d3977d0ee47aea1a266c34a2b11fab5d2a4b849e40dede33eb428237e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-layout/src/flow/block.rs", "duplicate_line": 43, "correlation_key": "fp|c74ef8d3977d0ee47aea1a266c34a2b11fab5d2a4b849e40dede33eb428237e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-layout/src/inline/box.rs"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86882, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe8d5104f30619ff2516dc410fe51735722784b3a8ab31788602a03d8724021f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-bundle/src/introspect.rs", "duplicate_line": 54, "correlation_key": "fp|fe8d5104f30619ff2516dc410fe51735722784b3a8ab31788602a03d8724021f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-html/src/introspect.rs"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86881, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ecd6f07d430e7d1d1413be1838bcbb96953b55162c9e64b49933554d7694361", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/typst-cli/src/eval.rs", "duplicate_line": 51, "correlation_key": "fp|8ecd6f07d430e7d1d1413be1838bcbb96953b55162c9e64b49933554d7694361"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-cli/src/query.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 86923, "scanner": "repobility-threat-engine", "fingerprint": "d5c78c1053b35aaa9d14ce2a49e9212eed18645520f55b0ae901ee538068e30b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d5c78c1053b35aaa9d14ce2a49e9212eed18645520f55b0ae901ee538068e30b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-utils/src/fat.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 86922, "scanner": "repobility-threat-engine", "fingerprint": "ddf09e395fc7ea4aab97c26757b24c0d6bce4b0acd7194d55366cbdf05a28a24", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ddf09e395fc7ea4aab97c26757b24c0d6bce4b0acd7194d55366cbdf05a28a24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-library/src/text/font/mod.rs"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 86921, "scanner": "repobility-threat-engine", "fingerprint": "01e82aa9157f073e92df9ddf3ed67516192afcd0186d6ab4f309dc2d5c4b8ae4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01e82aa9157f073e92df9ddf3ed67516192afcd0186d6ab4f309dc2d5c4b8ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-library/src/foundations/content/packed.rs"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 86917, "scanner": "repobility-threat-engine", "fingerprint": "f2bf68dbf6d5f27d881fbdf44465eef3a6c230779270894ac9898491470c27b0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f2bf68dbf6d5f27d881fbdf44465eef3a6c230779270894ac9898491470c27b0", "aggregated_count": 6}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 86916, "scanner": "repobility-threat-engine", "fingerprint": "871d35408e540acd938590e30c05004673d7c600cb4598a05d0800c586db2809", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|871d35408e540acd938590e30c05004673d7c600cb4598a05d0800c586db2809"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-html/src/document.rs"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 86915, "scanner": "repobility-threat-engine", "fingerprint": "e0dbfd695c8ad9a6379c4da9ffd33081356926a678d563c494994bd6417aaf7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0dbfd695c8ad9a6379c4da9ffd33081356926a678d563c494994bd6417aaf7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-eval/src/lib.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 86914, "scanner": "repobility-threat-engine", "fingerprint": "41d4e66080eb8140fcd052b6c2c2010a951cb72420a38ac29cc6be9b8081cdda", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41d4e66080eb8140fcd052b6c2c2010a951cb72420a38ac29cc6be9b8081cdda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-eval/src/import.rs"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86913, "scanner": "repobility-threat-engine", "fingerprint": "184df5bd43ab76ac62328732b99d2589fe8e57bba92e2c01840ec43aaf47637c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|184df5bd43ab76ac62328732b99d2589fe8e57bba92e2c01840ec43aaf47637c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/main.rs"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86912, "scanner": "repobility-threat-engine", "fingerprint": "e5edfc4e08b7821ec80ce078fc596e0116a37505e196161f247023866c83f19c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e5edfc4e08b7821ec80ce078fc596e0116a37505e196161f247023866c83f19c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-library/src/loading/mod.rs"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86911, "scanner": "repobility-threat-engine", "fingerprint": "d8e0be79be62d6e6e120a3a38e8d8346953c58e40a3c9b8473812c012eec3f23", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8e0be79be62d6e6e120a3a38e8d8346953c58e40a3c9b8473812c012eec3f23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-cli/src/watch.rs"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 86910, "scanner": "repobility-threat-engine", "fingerprint": "c02a4a766acbef3e257bb917cb5e1b5547c74e92e36f0b500971fcac1bb9ebf2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c02a4a766acbef3e257bb917cb5e1b5547c74e92e36f0b500971fcac1bb9ebf2", "aggregated_count": 11}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 86909, "scanner": "repobility-threat-engine", "fingerprint": "f723f7158f30139ee121aa044b4487b49146f0373ccb5a467e51e2bbfa233241", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f723f7158f30139ee121aa044b4487b49146f0373ccb5a467e51e2bbfa233241"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-eval/src/methods.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 86908, "scanner": "repobility-threat-engine", "fingerprint": "086e5222244e7e66b5e63ed14bdb1c77345808952d837f2ab09567f0ff3a75ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|086e5222244e7e66b5e63ed14bdb1c77345808952d837f2ab09567f0ff3a75ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-eval/src/markup.rs"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 86907, "scanner": "repobility-threat-engine", "fingerprint": "2ffb1165357df02216aa0a1d59f64382e08843502420fd17fdd10f35395541e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ffb1165357df02216aa0a1d59f64382e08843502420fd17fdd10f35395541e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-cli/src/main.rs"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 86906, "scanner": "repobility-threat-engine", "fingerprint": "d0e616afa1de809b2c500a0ca0e082d2fb57cb894ec3187d2f28344c2529f1d5", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d0e616afa1de809b2c500a0ca0e082d2fb57cb894ec3187d2f28344c2529f1d5"}}}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "properties": {"repobilityId": 86900, "scanner": "repobility-threat-engine", "fingerprint": "f0dd93669a653bf02fffda2afd9b0e76a853e5ce42c93064816268318cd5c24e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f0dd93669a653bf02fffda2afd9b0e76a853e5ce42c93064816268318cd5c24e", "aggregated_count": 52}}}, {"ruleId": "RUSTSEC-2024-0320", "level": "error", "message": {"text": "yaml-rust: RUSTSEC-2024-0320"}, "properties": {"repobilityId": 86936, "scanner": "osv-scanner", "fingerprint": "70967c64ce611dd07d3a189ca0d1542831d3a26c197c68aa7b72fc171615d198", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "yaml-rust", "rule_id": "RUSTSEC-2024-0320", "scanner": "osv-scanner", "correlation_key": "fp|70967c64ce611dd07d3a189ca0d1542831d3a26c197c68aa7b72fc171615d198"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0009", "level": "error", "message": {"text": "time: RUSTSEC-2026-0009"}, "properties": {"repobilityId": 86935, "scanner": "osv-scanner", "fingerprint": "9fb941cdcde7d808df297ded949de574907ac1fbeb6f7223b9e05c56e941adb0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25727", "GHSA-r6v5-fh4h-64xc"], "package": "time", "rule_id": "RUSTSEC-2026-0009", "scanner": "osv-scanner", "correlation_key": "vuln|time|CVE-2026-25727|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r6v5-fh4h-64xc", "RUSTSEC-2026-0009"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2c2d2ae12df666e8132d287bd534a3c14d824cdb5129b7d9425024955a840e9f", "9fb941cdcde7d808df297ded949de574907ac1fbeb6f7223b9e05c56e941adb0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0436", "level": "error", "message": {"text": "paste: RUSTSEC-2024-0436"}, "properties": {"repobilityId": 86933, "scanner": "osv-scanner", "fingerprint": "ecf6a49d252eada338538964a3d9bb37acf276dba6d473e55cf76f528b35783f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "paste", "rule_id": "RUSTSEC-2024-0436", "scanner": "osv-scanner", "correlation_key": "fp|ecf6a49d252eada338538964a3d9bb37acf276dba6d473e55cf76f528b35783f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0141", "level": "error", "message": {"text": "bincode: RUSTSEC-2025-0141"}, "properties": {"repobilityId": 86931, "scanner": "osv-scanner", "fingerprint": "634ded575a91e8662811f47a1170cf5fb4279a65e3c3176bb84aeaac3c78b213", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "bincode", "rule_id": "RUSTSEC-2025-0141", "scanner": "osv-scanner", "correlation_key": "fp|634ded575a91e8662811f47a1170cf5fb4279a65e3c3176bb84aeaac3c78b213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 86926, "scanner": "repobility-docker", "fingerprint": "734070ea9fa2cb4f5f8526763ad78cba985ac7d1ef39e97c5436f03a73d8ae3f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|734070ea9fa2cb4f5f8526763ad78cba985ac7d1ef39e97c5436f03a73d8ae3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86920, "scanner": "repobility-threat-engine", "fingerprint": "e8df1d71048ce76a90ac7b0f14ee389446324fa1e8ac1d99ec585cbeb04259c7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e8df1d71048ce76a90ac7b0f14ee389446324fa1e8ac1d99ec585cbeb04259c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-svg/src/shape.rs"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86919, "scanner": "repobility-threat-engine", "fingerprint": "5b057ca194e356a40fc61e7d20f41821e28f69af3dad0a44ef458308168ba412", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5b057ca194e356a40fc61e7d20f41821e28f69af3dad0a44ef458308168ba412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-pdf/src/link.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86918, "scanner": "repobility-threat-engine", "fingerprint": "f98562ab0e28f13fd14f3d52cedacfad084bdd6185931621c1de3a7f04e6367a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f98562ab0e28f13fd14f3d52cedacfad084bdd6185931621c1de3a7f04e6367a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-eval/src/markup.rs"}, "region": {"startLine": 181}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86902, "scanner": "repobility-threat-engine", "fingerprint": "20306fe19b1d618e7f7e331baf3bab715dd2157f7e15e12ec6b12672a47e7a5e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.update(progress);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20306fe19b1d618e7f7e331baf3bab715dd2157f7e15e12ec6b12672a47e7a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-cli/src/download.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 86901, "scanner": "repobility-threat-engine", "fingerprint": "f9ccbcd3f61f5bad71aa90a2366ca4bb03282f15153685f432b7914a1e2b7d4c", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open()?, &Deps { input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|68|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-cli/src/deps.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 86899, "scanner": "repobility-threat-engine", "fingerprint": "30b512b0466b4d7e9de9d464e14450fbefee55095bcbd4ee3e0529b76f4d4acb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30b512b0466b4d7e9de9d464e14450fbefee55095bcbd4ee3e0529b76f4d4acb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-cli/build.rs"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 86898, "scanner": "repobility-threat-engine", "fingerprint": "c78d5d6972dcb383a9c35ec8fe2340a8792afe5ec11bbea75002de55713855e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c78d5d6972dcb383a9c35ec8fe2340a8792afe5ec11bbea75002de55713855e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-bundle/src/lib.rs"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 86897, "scanner": "repobility-threat-engine", "fingerprint": "ffe6482c67075e6389aea4b24ef4133ab132ebb00706a82826f147414c4501f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ffe6482c67075e6389aea4b24ef4133ab132ebb00706a82826f147414c4501f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-bundle/src/introspect.rs"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `alpine:latest` not pinned by digest"}, "properties": {"repobilityId": 86894, "scanner": "repobility-supply-chain", "fingerprint": "9798e05823ccea6fc58a84918668699a93d134e413e4548d1373156b5bbc8ce2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9798e05823ccea6fc58a84918668699a93d134e413e4548d1373156b5bbc8ce2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 86924, "scanner": "repobility-threat-engine", "fingerprint": "a0ac431010c2a44ad9aaace0b5f551057ad604f02c09f7321fc9d1252b35b356", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(self", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0ac431010c2a44ad9aaace0b5f551057ad604f02c09f7321fc9d1252b35b356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/typst-library/src/foundations/context.rs"}, "region": {"startLine": 39}}}]}]}]}