{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB004", "name": "robots.txt blocks the full public site", "shortDescription": {"text": "robots.txt blocks the full public site"}, "fullDescription": {"text": "`User-agent: *` with `Disallow: /` prevents normal indexing and can also hide public docs from AI agents unless there is a clear exception."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `cohere-ai` is 1 major version(s) behind (^7.19.0 -> 8.0.0)", "shortDescription": {"text": "npm package `cohere-ai` is 1 major version(s) behind (^7.19.0 -> 8.0.0)"}, "fullDescription": {"text": "`cohere-ai` is pinned/resolved at ^7.19.0 but the latest stable release on the npm registry is 8.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 1 more): Same pattern found in 1 additional files. Review i", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC010", "name": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.", "shortDescription": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "fullDescription": {"text": "Remove immediately and rotate the token. Use environment variables."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 23 more): Same pattern found in 23 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 23 more): Same pattern found in 23 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 33 more): Same pattern found in 33 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 45 more): Same pattern found in 45 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 317 more): Same pattern found in 317 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 317 more): Same pattern found in 317 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "DKC005", "name": "Compose service adds dangerous Linux capabilities", "shortDescription": {"text": "Compose service adds dangerous Linux capabilities"}, "fullDescription": {"text": "Added capabilities expand what a compromised process can do inside or against the host kernel."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`", "shortDescription": {"text": "Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`"}, "fullDescription": {"text": "`uses: peter-evans/create-pull-request@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `ubuntu:noble-20251013` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `ubuntu:noble-20251013` not pinned by digest"}, "fullDescription": {"text": "`FROM ubuntu:noble-20251013` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "package.json dep `epub2` pulled from URL/Git", "shortDescription": {"text": "package.json dep `epub2` pulled from URL/Git"}, "fullDescription": {"text": "`dependencies.epub2` = `git+https://github.com/Mintplex-Labs/epub2-static.git#main` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express DELETE /workspace/:slug/delete-parsed-files has no auth", "shortDescription": {"text": "Express DELETE /workspace/:slug/delete-parsed-files has no auth"}, "fullDescription": {"text": "Express route DELETE /workspace/:slug/delete-parsed-files declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED123", "name": "Trojan Source bidi character (LRM) in source", "shortDescription": {"text": "Trojan Source bidi character (LRM) in source"}, "fullDescription": {"text": "Line 37 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.ALLM_RW_PACKAGES` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.ALLM_RW_PACKAGES` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALLM_RW_PACKAGES }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED114", "name": "Admin endpoint without auth: POST /v1/admin/preferences", "shortDescription": {"text": "Admin endpoint without auth: POST /v1/admin/preferences"}, "fullDescription": {"text": "Express route on /admin path (/v1/admin/preferences) with no auth middleware."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "critical", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/877"}, "properties": {"repository": "Mintplex-Labs/anything-llm", "repoUrl": "https://github.com/Mintplex-Labs/anything-llm", "branch": "master"}, "results": [{"ruleId": "WEB004", "level": "warning", "message": {"text": "robots.txt blocks the full public site"}, "properties": {"repobilityId": 80613, "scanner": "repobility-web-presence", "fingerprint": "091cef0c4e0b9b859167f0a918303806a3d2aeb047a2312e007454e2f4b39247", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "robots.txt contains a global disallow rule for the root path.", "evidence": {"rule_id": "WEB004", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309"], "correlation_key": "fp|091cef0c4e0b9b859167f0a918303806a3d2aeb047a2312e007454e2f4b39247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 80611, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 80610, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80602, "scanner": "repobility-journey-contract", "fingerprint": "279855fbb6a16f069f27db30d63d8fc43e35c2aff7578cc5faede00adbb88592", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|54|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/PrivateRoute/index.jsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80601, "scanner": "repobility-journey-contract", "fingerprint": "1a79aec14c42f1126a7a4c2327bd1f7f72fe810797e59a7076b4818d75798005", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|41|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/PrivateRoute/index.jsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80600, "scanner": "repobility-journey-contract", "fingerprint": "399c7e50bef25112a61c5ca89a85bc434674de96322ab93922616c1957d3e0f2", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|93|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/Password/index.jsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80599, "scanner": "repobility-journey-contract", "fingerprint": "b647e4575cd6ae0077aaf505027a1eb8765f56ed8e6c66a232c70252b7eff262", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|51|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/Password/index.jsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80598, "scanner": "repobility-journey-contract", "fingerprint": "2be6706c26aac192ca8ed7d177c1e3ab1461d403ff64c33dbc54fe174cbb7894", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|56|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/Password/SingleUserAuth.jsx"}, "region": {"startLine": 56}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80597, "scanner": "repobility-journey-contract", "fingerprint": "7e37764d2b7c2f32325bd4475b59e59c4439e94281a145b8ef69edcc08fe0d19", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|40|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/Password/SingleUserAuth.jsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80596, "scanner": "repobility-journey-contract", "fingerprint": "baebab02b327bce22b8c5c7eec13767f8f4c6a726e639b84369dfd9d9f5fc699", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|261|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/Password/MultiUserAuth.jsx"}, "region": {"startLine": 261}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80595, "scanner": "repobility-journey-contract", "fingerprint": "d856cd1533f4b4527a849c558624376ac4c60a5bf6d9be65848424d4a4046036", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|237|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/Password/MultiUserAuth.jsx"}, "region": {"startLine": 237}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80594, "scanner": "repobility-journey-contract", "fingerprint": "e2885104a68b950a1d5991eb36a1cbaaa30f28a7ca629b908961d968df76d669", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|228|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/Password/MultiUserAuth.jsx"}, "region": {"startLine": 228}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80593, "scanner": "repobility-journey-contract", "fingerprint": "cc232e9befb57cea3e4a5bfafeb0e425eb9a4d0d92cab544ce865d6fcf740030", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|209|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/Password/MultiUserAuth.jsx"}, "region": {"startLine": 209}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80592, "scanner": "repobility-journey-contract", "fingerprint": "94f5f615e09a6db3bc25b1d35e63d8f608b6b6b0ab33e7ae50e5c59bab893d92", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|32|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/AuthContext.jsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 80591, "scanner": "repobility-journey-contract", "fingerprint": "e973ce468a5bfc4c945a8dac3b14985c83778c837feaf9de15998f9517e38902", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|15|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/AuthContext.jsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 80587, "scanner": "repobility-docker", "fingerprint": "c5190ae4eaabd74e80e435e6c98aa425c429d9991c408401c510a09f52c698ee", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "backend-build", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c5190ae4eaabd74e80e435e6c98aa425c429d9991c408401c510a09f52c698ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 80579, "scanner": "repobility-threat-engine", "fingerprint": "16c72ee71317aee9f44a37c8dd265c871d2854d8e62191824073815697cab456", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16c72ee71317aee9f44a37c8dd265c871d2854d8e62191824073815697cab456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/web-scraping.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 80569, "scanner": "repobility-threat-engine", "fingerprint": "10feadab8ddbb7916b92139d9c99104829de5e6341d457a16eaa3e887b393131", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|39|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/database/index.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 80568, "scanner": "repobility-threat-engine", "fingerprint": "38f9e5328817e0aa3391a96e00d7c34d3d23eee2c2e1e4657ab308e7291181f3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|105|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/sql-agent/SQLConnectors/utils.js"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 80567, "scanner": "repobility-threat-engine", "fingerprint": "d84241391b5c475b8de008a5251f8139c97803ac25ef8ca0efa589ec8bfe31bd", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|98|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/locales/findUnusedTranslations.mjs"}, "region": {"startLine": 98}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 80545, "scanner": "repobility-threat-engine", "fingerprint": "d87a4694a10fab931df5f4ec4dccf8942d7d3f00d6ea3055ec0883ab587245d4", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d87a4694a10fab931df5f4ec4dccf8942d7d3f00d6ea3055ec0883ab587245d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Admin/Agents/CreateFileSkillPanel/index.jsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 80544, "scanner": "repobility-threat-engine", "fingerprint": "b62f0b70862262d727f64fe22557b867fb3bd0387f1b03bd51cace3d4d9d11db", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b62f0b70862262d727f64fe22557b867fb3bd0387f1b03bd51cace3d4d9d11db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/WorkspaceChat/ChatContainer/PromptInput/SpeechToText/useSilenceDetector.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 80543, "scanner": "repobility-threat-engine", "fingerprint": "257cbbdf0545c18a0bf3abda6a997d505157db0bd02feda8641f1731d03652c8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|257cbbdf0545c18a0bf3abda6a997d505157db0bd02feda8641f1731d03652c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/EmbeddingProgressContext.jsx"}, "region": {"startLine": 195}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 80508, "scanner": "repobility-agent-runtime", "fingerprint": "58d94a61079cbb9587494173b17ce4cb15e7979efd852a4cf14ac25420819643", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|58d94a61079cbb9587494173b17ce4cb15e7979efd852a4cf14ac25420819643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/usePromptInputStorage.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 80507, "scanner": "repobility-agent-runtime", "fingerprint": "e255bf0cd5c7175486525a989c7be15036aa1cfce81079edc20b6d0a7b46799a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e255bf0cd5c7175486525a989c7be15036aa1cfce81079edc20b6d0a7b46799a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-push-image.yaml"}, "region": {"startLine": 125}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 80506, "scanner": "repobility-agent-runtime", "fingerprint": "f17f44b1878cbff45434430622e64631e32dc9a8f38565cd94a83ebda508ec92", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f17f44b1878cbff45434430622e64631e32dc9a8f38565cd94a83ebda508ec92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-push-image-semver.yaml"}, "region": {"startLine": 104}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cohere-ai` is 1 major version(s) behind (^7.19.0 -> 8.0.0)"}, "properties": {"repobilityId": 80504, "scanner": "repobility-dependency-currency", "fingerprint": "deb0a453b242bd58c34f9727ebfb15dbdca6fe5a8deebf2f673c9065362afeef", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cohere-ai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.0.0", "correlation_key": "fp|deb0a453b242bd58c34f9727ebfb15dbdca6fe5a8deebf2f673c9065362afeef", "current_version": "^7.19.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chromadb` is 1 major version(s) behind (^2.0.1 -> 3.4.3)"}, "properties": {"repobilityId": 80503, "scanner": "repobility-dependency-currency", "fingerprint": "22b961cca992e31e35321b71e340269da9165b526972450c4a60c581f27486fa", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chromadb", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.4.3", "correlation_key": "fp|22b961cca992e31e35321b71e340269da9165b526972450c4a60c581f27486fa", "current_version": "^2.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chalk` is 1 major version(s) behind (^4 -> 5.6.2)"}, "properties": {"repobilityId": 80501, "scanner": "repobility-dependency-currency", "fingerprint": "36b28c5a4447c90da41fe697cbb036eb20913613d7e092ef07235dc9a840d240", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chalk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.6.2", "correlation_key": "fp|36b28c5a4447c90da41fe697cbb036eb20913613d7e092ef07235dc9a840d240", "current_version": "^4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `body-parser` is 1 major version(s) behind (^1.20.3 -> 2.2.2)"}, "properties": {"repobilityId": 80500, "scanner": "repobility-dependency-currency", "fingerprint": "855c43b65cd2a95c39d27c9712d794732c746682d052f54c580543d3e6ec1927", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "body-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.2.2", "correlation_key": "fp|855c43b65cd2a95c39d27c9712d794732c746682d052f54c580543d3e6ec1927", "current_version": "^1.20.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `apache-arrow` is 2 major version(s) behind (19.0.0 -> 21.1.0)"}, "properties": {"repobilityId": 80499, "scanner": "repobility-dependency-currency", "fingerprint": "4890326fd6bffd84ec0d3bd922aa95c8b807625db00dae6d35639c091110736e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "apache-arrow", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "21.1.0", "correlation_key": "fp|4890326fd6bffd84ec0d3bd922aa95c8b807625db00dae6d35639c091110736e", "current_version": "19.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@zilliz/milvus2-sdk-node` is 1 major version(s) behind (^2.3.5 -> 3.0.3)"}, "properties": {"repobilityId": 80497, "scanner": "repobility-dependency-currency", "fingerprint": "f6afcc7bd578001e6cbe467c9abda5fdcbc4dffbf6e60f0e60696f6cadb8eed9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@zilliz/milvus2-sdk-node", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.3", "correlation_key": "fp|f6afcc7bd578001e6cbe467c9abda5fdcbc4dffbf6e60f0e60696f6cadb8eed9", "current_version": "^2.3.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@langchain/textsplitters` is 1 major version(s) behind (0.0.0 -> 1.0.1)"}, "properties": {"repobilityId": 80492, "scanner": "repobility-dependency-currency", "fingerprint": "c2d701984e1259374f7abdd3b4221ad73e0237ffa72fe9e00727f7d6a33910e0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@langchain/textsplitters", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.0.1", "correlation_key": "fp|c2d701984e1259374f7abdd3b4221ad73e0237ffa72fe9e00727f7d6a33910e0", "current_version": "0.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@langchain/openai` is 1 major version(s) behind (0.0.28 -> 1.4.7)"}, "properties": {"repobilityId": 80491, "scanner": "repobility-dependency-currency", "fingerprint": "5f8f823ecec8a0d3d30a2999039f7ca236fd259f964d3da0e292285e13f3550f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@langchain/openai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.4.7", "correlation_key": "fp|5f8f823ecec8a0d3d30a2999039f7ca236fd259f964d3da0e292285e13f3550f", "current_version": "0.0.28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@langchain/cohere` is 1 major version(s) behind (0.0.11 -> 1.0.5)"}, "properties": {"repobilityId": 80490, "scanner": "repobility-dependency-currency", "fingerprint": "142645eee8306695acae1333f93a74f16520acd88046a0375bde250505541eec", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@langchain/cohere", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.0.5", "correlation_key": "fp|142645eee8306695acae1333f93a74f16520acd88046a0375bde250505541eec", "current_version": "0.0.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@langchain/aws` is 1 major version(s) behind (^0.0.5 -> 1.3.9)"}, "properties": {"repobilityId": 80489, "scanner": "repobility-dependency-currency", "fingerprint": "12b268308be8fc87befadbe05833b67441bb0fc9b67e469b2854fb3cb35ab1bf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@langchain/aws", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.3.9", "correlation_key": "fp|12b268308be8fc87befadbe05833b67441bb0fc9b67e469b2854fb3cb35ab1bf", "current_version": "^0.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@langchain/anthropic` is 1 major version(s) behind (0.1.16 -> 1.4.0)"}, "properties": {"repobilityId": 80488, "scanner": "repobility-dependency-currency", "fingerprint": "e66f85f6489227150d651aed36932ebb4499c22afac8fdb8bd7bf6ba82a068b6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@langchain/anthropic", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.4.0", "correlation_key": "fp|e66f85f6489227150d651aed36932ebb4499c22afac8fdb8bd7bf6ba82a068b6", "current_version": "0.1.16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@ladjs/graceful` is 2 major version(s) behind (^3.2.2 -> 5.0.0)"}, "properties": {"repobilityId": 80486, "scanner": "repobility-dependency-currency", "fingerprint": "8db805383ce59a89aaa47445eec3d143b72faf4c3991815de48f35eff914c024", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@ladjs/graceful", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.0", "correlation_key": "fp|8db805383ce59a89aaa47445eec3d143b72faf4c3991815de48f35eff914c024", "current_version": "^3.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@datastax/astra-db-ts` is 2 major version(s) behind (^0.1.3 -> 2.2.1)"}, "properties": {"repobilityId": 80485, "scanner": "repobility-dependency-currency", "fingerprint": "ceed988720c500d0944213d94a662bddc395e4b2e26f98a26d46ddb7c38d4ba3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@datastax/astra-db-ts", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.2.1", "correlation_key": "fp|ceed988720c500d0944213d94a662bddc395e4b2e26f98a26d46ddb7c38d4ba3", "current_version": "^0.1.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jest` is 1 major version(s) behind (^29.7.0 -> 30.4.2)"}, "properties": {"repobilityId": 80482, "scanner": "repobility-dependency-currency", "fingerprint": "e5b4eeaf474a12718fb351bc9262b9b028c321328826fe5cd1097ee6af08b61a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "30.4.2", "correlation_key": "fp|e5b4eeaf474a12718fb351bc9262b9b028c321328826fe5cd1097ee6af08b61a", "current_version": "^29.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `concurrently` is 1 major version(s) behind (^9.1.2 -> 10.0.3)"}, "properties": {"repobilityId": 80481, "scanner": "repobility-dependency-currency", "fingerprint": "bd49439ef4205c5e9cbce6baa8934d15d40c4c6e8b4c3bfc107103303a61e557", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "concurrently", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.3", "correlation_key": "fp|bd49439ef4205c5e9cbce6baa8934d15d40c4c6e8b4c3bfc107103303a61e557", "current_version": "^9.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 80612, "scanner": "repobility-web-presence", "fingerprint": "324483adf8254ca063b56e61cf8282c34ca424e684bb6d08d2b13bdc52883873", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|324483adf8254ca063b56e61cf8282c34ca424e684bb6d08d2b13bdc52883873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 80609, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 80608, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 80607, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 80589, "scanner": "repobility-docker", "fingerprint": "83489de42ca329e9d7d2db1288823f9495499f4e83c52e457f331da2c135bbcb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "anything-llm", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|83489de42ca329e9d7d2db1288823f9495499f4e83c52e457f331da2c135bbcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 80580, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 80565, "scanner": "repobility-threat-engine", "fingerprint": "e3d32e66cfb6ee787f1b6aab6b56c647afae7d069269bf55d80e434d7511db45", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = o", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|132|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/WorkspaceChat/index.jsx"}, "region": {"startLine": 132}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `cheerio` is minor version(s) behind (^1.0.0 -> 1.2.0)"}, "properties": {"repobilityId": 80502, "scanner": "repobility-dependency-currency", "fingerprint": "60e52ad0c287795835db33d7727203bc418c29a968bc11470ea5ae367277a8c2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cheerio", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.0", "correlation_key": "fp|60e52ad0c287795835db33d7727203bc418c29a968bc11470ea5ae367277a8c2", "current_version": "^1.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@xenova/transformers` is minor version(s) behind (^2.14.0 -> 2.17.2)"}, "properties": {"repobilityId": 80496, "scanner": "repobility-dependency-currency", "fingerprint": "51c10edadbedb3adcb3ed6202554fd325c7bac8cb1dc65aa40711106e2f19190", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@xenova/transformers", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.17.2", "correlation_key": "fp|51c10edadbedb3adcb3ed6202554fd325c7bac8cb1dc65aa40711106e2f19190", "current_version": "^2.14.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@vscode/ripgrep` is minor version(s) behind (1.17.1 -> 1.18.0)"}, "properties": {"repobilityId": 80495, "scanner": "repobility-dependency-currency", "fingerprint": "4a2f2f5f78fbfbf46fb56b8dbbdd4cbf763d11aef14c8ea53cab802183593129", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vscode/ripgrep", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.18.0", "correlation_key": "fp|4a2f2f5f78fbfbf46fb56b8dbbdd4cbf763d11aef14c8ea53cab802183593129", "current_version": "1.17.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@qdrant/js-client-rest` is minor version(s) behind (^1.9.0 -> 1.18.0)"}, "properties": {"repobilityId": 80494, "scanner": "repobility-dependency-currency", "fingerprint": "f491ab533e2931ff3314f5ff91fd9a0c631dcebd8590ce5280d2d460050785d6", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@qdrant/js-client-rest", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.18.0", "correlation_key": "fp|f491ab533e2931ff3314f5ff91fd9a0c631dcebd8590ce5280d2d460050785d6", "current_version": "^1.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@modelcontextprotocol/sdk` is minor version(s) behind (^1.24.3 -> 1.29.0)"}, "properties": {"repobilityId": 80493, "scanner": "repobility-dependency-currency", "fingerprint": "854abf62e4a309081c9118e6b01785c795c314c65b5ac7e86eb09217ddd22be1", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@modelcontextprotocol/sdk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.29.0", "correlation_key": "fp|854abf62e4a309081c9118e6b01785c795c314c65b5ac7e86eb09217ddd22be1", "current_version": "^1.24.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@lancedb/lancedb` is minor version(s) behind (0.15.0 -> 0.30.0)"}, "properties": {"repobilityId": 80487, "scanner": "repobility-dependency-currency", "fingerprint": "cc565becde915a6ec097b24f787f22e4428ccf7aface70d7c6da1ff561f434a2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@lancedb/lancedb", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.30.0", "correlation_key": "fp|cc565becde915a6ec097b24f787f22e4428ccf7aface70d7c6da1ff561f434a2", "current_version": "0.15.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@aws-sdk/client-bedrock-runtime` is minor version(s) behind (^3.775.0 -> 3.1062.0)"}, "properties": {"repobilityId": 80484, "scanner": "repobility-dependency-currency", "fingerprint": "c3b9e6ca56eca79ef1f674e3d87445aa7f2843d0f1e9029477e0f98c35eb9b9e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@aws-sdk/client-bedrock-runtime", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1062.0", "correlation_key": "fp|c3b9e6ca56eca79ef1f674e3d87445aa7f2843d0f1e9029477e0f98c35eb9b9e", "current_version": "^3.775.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@anthropic-ai/sdk` is minor version(s) behind (^0.39.0 -> 0.100.1)"}, "properties": {"repobilityId": 80483, "scanner": "repobility-dependency-currency", "fingerprint": "cda4a503e732c785b9042b2fb78c2cccfc4cd1df78813c9fa8ef7df835213a86", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@anthropic-ai/sdk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.100.1", "correlation_key": "fp|cda4a503e732c785b9042b2fb78c2cccfc4cd1df78813c9fa8ef7df835213a86", "current_version": "^0.39.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80405, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d9691a2dc027f04cb742730b18b918ce253381635bafbb140c8d1fc1f396332", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/GeminiOptions/index.jsx", "duplicate_line": 26, "correlation_key": "fp|9d9691a2dc027f04cb742730b18b918ce253381635bafbb140c8d1fc1f396332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/MistralAiOptions/index.jsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80404, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a63dc05946645c8942cdf8a87b5fe35271a6962b749bbb1d28c1172fc22cf6be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/LiteLLMOptions/index.jsx", "duplicate_line": 114, "correlation_key": "fp|a63dc05946645c8942cdf8a87b5fe35271a6962b749bbb1d28c1172fc22cf6be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/LocalAiOptions/index.jsx"}, "region": {"startLine": 235}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80403, "scanner": "repobility-ai-code-hygiene", "fingerprint": "634b7db786e4801736c76876fa32d76413895249fe221c0e27d9ea1643248d4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/LemonadeOptions/index.jsx", "duplicate_line": 153, "correlation_key": "fp|634b7db786e4801736c76876fa32d76413895249fe221c0e27d9ea1643248d4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/LocalAiOptions/index.jsx"}, "region": {"startLine": 197}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80402, "scanner": "repobility-ai-code-hygiene", "fingerprint": "693c93d38764b99fbe789c132ff2af7e45092e7e2c5a1a4083abe6afb28e3fb9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/GenericOpenAiOptions/index.jsx", "duplicate_line": 86, "correlation_key": "fp|693c93d38764b99fbe789c132ff2af7e45092e7e2c5a1a4083abe6afb28e3fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/LocalAiOptions/index.jsx"}, "region": {"startLine": 150}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80401, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39c5e831bfb4b0534e1f096eb824e31dcaa11b2fa2c8f9bafbd246289c443dc6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/GeminiOptions/index.jsx", "duplicate_line": 56, "correlation_key": "fp|39c5e831bfb4b0534e1f096eb824e31dcaa11b2fa2c8f9bafbd246289c443dc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/LocalAiOptions/index.jsx"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80400, "scanner": "repobility-ai-code-hygiene", "fingerprint": "efaa113d57d369219098d95f74faec2356ea637e559eaf79715947180d0bc4c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/LMStudioOptions/index.jsx", "duplicate_line": 42, "correlation_key": "fp|efaa113d57d369219098d95f74faec2356ea637e559eaf79715947180d0bc4c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/LocalAiOptions/index.jsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80399, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b9db58f2cbdd633cb1df0f27f36d04fd68cffd334b36411c04afeeaaedb7783", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/LemonadeOptions/index.jsx", "duplicate_line": 230, "correlation_key": "fp|3b9db58f2cbdd633cb1df0f27f36d04fd68cffd334b36411c04afeeaaedb7783"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/LiteLLMOptions/index.jsx"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80398, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94e93bdc5051477b1616419f91859e26782238cdfc90840cbfe9ef0d4a16b8ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/LMStudioOptions/index.jsx", "duplicate_line": 278, "correlation_key": "fp|94e93bdc5051477b1616419f91859e26782238cdfc90840cbfe9ef0d4a16b8ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/LiteLLMOptions/index.jsx"}, "region": {"startLine": 137}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80397, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec526ec6ce3f124d7ef52ee417559cc1403f62cb1c05ccc733d9166b85199ac2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/GenericOpenAiOptions/index.jsx", "duplicate_line": 39, "correlation_key": "fp|ec526ec6ce3f124d7ef52ee417559cc1403f62cb1c05ccc733d9166b85199ac2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/LiteLLMOptions/index.jsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80396, "scanner": "repobility-ai-code-hygiene", "fingerprint": "788c1efcc63279c019aa9de5082f712a069ce5c3cc2ca286d0729e1c78b19917", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/EmbeddingSelection/LMStudioOptions/index.jsx", "duplicate_line": 42, "correlation_key": "fp|788c1efcc63279c019aa9de5082f712a069ce5c3cc2ca286d0729e1c78b19917"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/EmbeddingSelection/LemonadeOptions/index.jsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80395, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90257cda822648acba58a8ddc26a614ce8e5122ca0f74ecd3fc57ad1ccc2386b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/CommunityHub/PublishEntityModal/AgentFlows/index.jsx", "duplicate_line": 45, "correlation_key": "fp|90257cda822648acba58a8ddc26a614ce8e5122ca0f74ecd3fc57ad1ccc2386b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/CommunityHub/PublishEntityModal/SystemPrompts/index.jsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80394, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c93d6eeb1aad8c55200e6b97b22a41945611149055d6f3bab6437a2f48b02259", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/CommunityHub/PublishEntityModal/SlashCommands/index.jsx", "duplicate_line": 9, "correlation_key": "fp|c93d6eeb1aad8c55200e6b97b22a41945611149055d6f3bab6437a2f48b02259"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/CommunityHub/PublishEntityModal/SystemPrompts/index.jsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80393, "scanner": "repobility-ai-code-hygiene", "fingerprint": "26d78b6bc1e29a6d31fd83c9ae4ce2b9ee6034a340ba416d8e6a8ed7a3d3ad49", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/CommunityHub/PublishEntityModal/AgentFlows/index.jsx", "duplicate_line": 45, "correlation_key": "fp|26d78b6bc1e29a6d31fd83c9ae4ce2b9ee6034a340ba416d8e6a8ed7a3d3ad49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/CommunityHub/PublishEntityModal/SlashCommands/index.jsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80392, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75ddda589be49c09e4a557710d571449610f68e5ae1ccfc2e420d6c05c45ea7e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/utils/extensions/RepoLoader/GithubRepo/index.js", "duplicate_line": 27, "correlation_key": "fp|75ddda589be49c09e4a557710d571449610f68e5ae1ccfc2e420d6c05c45ea7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/utils/extensions/RepoLoader/GitlabRepo/index.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80391, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7212d6c6fd421f92cf5ab389c0ecdc7a318a588dfbf34bdeb1851c8c0cf11df5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/utils/extensions/Confluence/index.js", "duplicate_line": 108, "correlation_key": "fp|7212d6c6fd421f92cf5ab389c0ecdc7a318a588dfbf34bdeb1851c8c0cf11df5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/utils/extensions/PaperlessNgx/index.js"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80390, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3bd19ce28ea3315c4b7d82d04603b4e6d87f2a2ecc18741ace4fc5d490183d2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asDocx.js", "duplicate_line": 43, "correlation_key": "fp|b3bd19ce28ea3315c4b7d82d04603b4e6d87f2a2ecc18741ace4fc5d490183d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asTxt.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80389, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9cfd078b3f0a32041de924afe50544efd58c1c6ab11772e6768fc118ef12a317", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asAudio.js", "duplicate_line": 54, "correlation_key": "fp|9cfd078b3f0a32041de924afe50544efd58c1c6ab11772e6768fc118ef12a317"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asTxt.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80388, "scanner": "repobility-ai-code-hygiene", "fingerprint": "256ef3ad1c77e0d5ae35443e65b643c74a356d5ff5f22766894deca7a515922f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asEPub.js", "duplicate_line": 23, "correlation_key": "fp|256ef3ad1c77e0d5ae35443e65b643c74a356d5ff5f22766894deca7a515922f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asTxt.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80387, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eac8c4dbbe0c199ee025ecc83bfa834c4f2d098d0ff436d5c6c1576367d18bec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asAudio.js", "duplicate_line": 54, "correlation_key": "fp|eac8c4dbbe0c199ee025ecc83bfa834c4f2d098d0ff436d5c6c1576367d18bec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asPDF/index.js"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80386, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4819812d48f08b2287f22aa02d03c4eb16ccd7a870f90765bfbe6c3dcdb5e8d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asDocx.js", "duplicate_line": 27, "correlation_key": "fp|d4819812d48f08b2287f22aa02d03c4eb16ccd7a870f90765bfbe6c3dcdb5e8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asPDF/index.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80385, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8942a07c5fec846665b3d132b8484f3c3db419f1c9f98fba85283176f9f53ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asDocx.js", "duplicate_line": 43, "correlation_key": "fp|d8942a07c5fec846665b3d132b8484f3c3db419f1c9f98fba85283176f9f53ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asOfficeMime.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80384, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11535c2544be844c0192936379a5e470e3f1273d6a14e0644b503e9b8bf089d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asAudio.js", "duplicate_line": 39, "correlation_key": "fp|11535c2544be844c0192936379a5e470e3f1273d6a14e0644b503e9b8bf089d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asOfficeMime.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80383, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3daee1b3772679e932fa7b311307285d7e3bea362406dee71be56de8a3d09b0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asDocx.js", "duplicate_line": 43, "correlation_key": "fp|3daee1b3772679e932fa7b311307285d7e3bea362406dee71be56de8a3d09b0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asImage.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80382, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ee6243bc24401602005c5175311c9e6d7f9dcb79170c69dfb9a6131ec514272", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asAudio.js", "duplicate_line": 54, "correlation_key": "fp|1ee6243bc24401602005c5175311c9e6d7f9dcb79170c69dfb9a6131ec514272"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asImage.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80381, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f6102fe2c2492a63ae5c457af41d9fb78f86317a2ad52f1cbdfde88c1a38ca4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asEPub.js", "duplicate_line": 24, "correlation_key": "fp|0f6102fe2c2492a63ae5c457af41d9fb78f86317a2ad52f1cbdfde88c1a38ca4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asImage.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80380, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d2bb0a7e05fe05fbadb35a034b7d44c7bf892423c3a15f1bc39baa6dfa5bfd7f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asDocx.js", "duplicate_line": 43, "correlation_key": "fp|d2bb0a7e05fe05fbadb35a034b7d44c7bf892423c3a15f1bc39baa6dfa5bfd7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asEPub.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80379, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72511ecd60ae0528bc13fbe0e84625a610b7f29b4b5f868a9378f26a420ecd88", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asAudio.js", "duplicate_line": 54, "correlation_key": "fp|72511ecd60ae0528bc13fbe0e84625a610b7f29b4b5f868a9378f26a420ecd88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asEPub.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80378, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c36681d3ea2508b045ba58bef1c3bf8a14085972c2601f3b036d237a2e9f44d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "collector/processSingleFile/convert/asAudio.js", "duplicate_line": 54, "correlation_key": "fp|1c36681d3ea2508b045ba58bef1c3bf8a14085972c2601f3b036d237a2e9f44d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/convert/asDocx.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80377, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f66c039661a25ee4fec95b12741769e4d36e33d4442add1b2418b2216e9b5be4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/utils/agents/aibitat/plugins/gmail/drafts/gmail-create-draft.js", "duplicate_line": 15, "correlation_key": "fp|f66c039661a25ee4fec95b12741769e4d36e33d4442add1b2418b2216e9b5be4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/outlook/drafts/outlook-create-draft.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 80376, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70c9140446994a11435ac9b6c164362fe40f89b64b5376bd9fb5076a906556f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/utils/agents/aibitat/plugins/gmail/drafts/gmail-create-draft.js", "duplicate_line": 49, "correlation_key": "fp|70c9140446994a11435ac9b6c164362fe40f89b64b5376bd9fb5076a906556f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/gmail/drafts/gmail-update-draft.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80375, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8c14d619e402798f944242d9ad4b2079673e23f21bd8f9d16d2489328988e50", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f8c14d619e402798f944242d9ad4b2079673e23f21bd8f9d16d2489328988e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/outlook/drafts/outlook-update-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80374, "scanner": "repobility-ai-code-hygiene", "fingerprint": "21ae3224660282075e17cde6391fa77a2ce36bff5453764638d8a02943dc055f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|21ae3224660282075e17cde6391fa77a2ce36bff5453764638d8a02943dc055f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/outlook/drafts/outlook-send-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80373, "scanner": "repobility-ai-code-hygiene", "fingerprint": "043d7594e0bbca97b697274c7c68703112ce69e8e727c8b04464ee43562c46fa", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|043d7594e0bbca97b697274c7c68703112ce69e8e727c8b04464ee43562c46fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/outlook/drafts/outlook-delete-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80372, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb99cb833b7f632f9feee0e127eb6158b028edb27f4460a9c896c25c9a9624f2", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|eb99cb833b7f632f9feee0e127eb6158b028edb27f4460a9c896c25c9a9624f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/outlook/drafts/outlook-create-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80371, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1ccc80a10e807bb0a53306538a0fe0f73dba611fe11d6819923e437ed4faf5f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|a1ccc80a10e807bb0a53306538a0fe0f73dba611fe11d6819923e437ed4faf5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/gmail/drafts/gmail-update-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80370, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05e10cd029fe972c00c4f892198bfdde898ae3fc29d62300143df5327b8e0df5", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|05e10cd029fe972c00c4f892198bfdde898ae3fc29d62300143df5327b8e0df5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/gmail/drafts/gmail-send-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80369, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45aaa383dbc7dd88e7cb68e1590c6bb13bb98e5a7ab980a4a77628bfe11bb6c7", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|45aaa383dbc7dd88e7cb68e1590c6bb13bb98e5a7ab980a4a77628bfe11bb6c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/gmail/drafts/gmail-get-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80368, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5089f4d0f6202f8d631cb053a570f21592969acabb94b45c7a41d236d568155f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|5089f4d0f6202f8d631cb053a570f21592969acabb94b45c7a41d236d568155f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/gmail/drafts/gmail-delete-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 80367, "scanner": "repobility-ai-code-hygiene", "fingerprint": "438d397c1fe25a75b71bbfbdffc46ee006b27c4177267541fc73f1cc9e6e2fe1", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|438d397c1fe25a75b71bbfbdffc46ee006b27c4177267541fc73f1cc9e6e2fe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/gmail/drafts/gmail-create-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 80586, "scanner": "repobility-docker", "fingerprint": "7d0016d83309afcd971efa6805d583258f4006a12234e56cfa56dd3928b74a5a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "build-${TARGETARCH}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|7d0016d83309afcd971efa6805d583258f4006a12234e56cfa56dd3928b74a5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 131}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 80583, "scanner": "repobility-docker", "fingerprint": "9486ab171c8f9fa80acd2619199feaf39a931d7f1699184dfc2346ff08c860be", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "build-${TARGETARCH}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9486ab171c8f9fa80acd2619199feaf39a931d7f1699184dfc2346ff08c860be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloud-deployments/openshift/Dockerfile"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 80578, "scanner": "repobility-threat-engine", "fingerprint": "0eaf7c92b8def19d1c49bfc95d1419af85f064bc851600a02b23ff64ede5c5de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0eaf7c92b8def19d1c49bfc95d1419af85f064bc851600a02b23ff64ede5c5de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/gmail/search/gmail-get-inbox.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 80577, "scanner": "repobility-threat-engine", "fingerprint": "baa62563abbb4128d2dbe642126b24c79f32bf6a43feacd865308a754f1748e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|baa62563abbb4128d2dbe642126b24c79f32bf6a43feacd865308a754f1748e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/create-files/xlsx/utils.js"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 80576, "scanner": "repobility-threat-engine", "fingerprint": "c2810a4ea2967f7558285a6e47a7f4304cd365b21a505ee9ea7e05fc172e733c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2810a4ea2967f7558285a6e47a7f4304cd365b21a505ee9ea7e05fc172e733c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agentFlows/flowTypes.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC100", "level": "none", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80574, "scanner": "repobility-threat-engine", "fingerprint": "3888f3c97e91453967cfccb92eafef6441d6b43a8e3292bee1c79ed7ba8271b8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3888f3c97e91453967cfccb92eafef6441d6b43a8e3292bee1c79ed7ba8271b8"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80570, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 80564, "scanner": "repobility-threat-engine", "fingerprint": "43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049"}}}, {"ruleId": "MINED099", "level": "none", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 80556, "scanner": "repobility-threat-engine", "fingerprint": "f9a2615f887e01d2b59c0671e8c3f5e76f4a86d24da2ad7bd20615b5557ac138", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'placeholder' detected on same line", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9a2615f887e01d2b59c0671e8c3f5e76f4a86d24da2ad7bd20615b5557ac138"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/VectorDBSelection/ChromaDBOptions/index.jsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC010", "level": "none", "message": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "properties": {"repobilityId": 80555, "scanner": "repobility-threat-engine", "fingerprint": "1be61aec7e3123dd6833dcb6c37116a6480b23244f1ad2b7f457968cd764cb2b", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Form field or UI element reference", "evidence": {"match": "sk-myApiKeyToAccessMyChromaInstance", "reason": "Form field or UI element reference", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|4|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/VectorDBSelection/ChromaDBOptions/index.jsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 80554, "scanner": "repobility-threat-engine", "fingerprint": "dd55ce3a9f3f9694552e8f4756890f4a32ddb6947f938d3ce6625eb2c930cc47", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dd55ce3a9f3f9694552e8f4756890f4a32ddb6947f938d3ce6625eb2c930cc47", "aggregated_count": 7}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 80553, "scanner": "repobility-threat-engine", "fingerprint": "61d69d392a79da47025978631ad4282991a0c74a10122ecfb9d567abe548923e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|61d69d392a79da47025978631ad4282991a0c74a10122ecfb9d567abe548923e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx"}, "region": {"startLine": 308}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 80552, "scanner": "repobility-threat-engine", "fingerprint": "d81e3240810d56b3c7faab416f0f1dd166d47c66277e5ab1458d2e7ca6af1423", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d81e3240810d56b3c7faab416f0f1dd166d47c66277e5ab1458d2e7ca6af1423"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/ManageWorkspace/DataConnectors/Connectors/Github/index.jsx"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 80551, "scanner": "repobility-threat-engine", "fingerprint": "d7e3df3ed5cb42bdc582370badcec0956e94b0d40a29a5cad3c5b3c7f34575c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7e3df3ed5cb42bdc582370badcec0956e94b0d40a29a5cad3c5b3c7f34575c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ChatBubble/index.jsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 80550, "scanner": "repobility-threat-engine", "fingerprint": "4c86edd3b9f13039afada8352e86578ce2f543afa56af294332176b463d3723a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4c86edd3b9f13039afada8352e86578ce2f543afa56af294332176b463d3723a", "aggregated_count": 23}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 80549, "scanner": "repobility-threat-engine", "fingerprint": "661e324ea9ba38c43e051fbdabedbdfb2106a9152b3ecd00659a137cc68af517", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|661e324ea9ba38c43e051fbdabedbdfb2106a9152b3ecd00659a137cc68af517"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/CommunityHub/PublishEntityModal/SlashCommands/index.jsx"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 80548, "scanner": "repobility-threat-engine", "fingerprint": "e41760d7a04499823068b246ea9ba52c83610e872b350bd097ab117edcbbda17", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e41760d7a04499823068b246ea9ba52c83610e872b350bd097ab117edcbbda17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/CommunityHub/PublishEntityModal/AgentFlows/index.jsx"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 80547, "scanner": "repobility-threat-engine", "fingerprint": "a5027f074a02e32ddc8a8ad4bb1b9b4495e2892b37d42b2a122e86f40e282f90", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5027f074a02e32ddc8a8ad4bb1b9b4495e2892b37d42b2a122e86f40e282f90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/ChangeWarning/index.jsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 80546, "scanner": "repobility-threat-engine", "fingerprint": "1496843c0eed8a51734332986313792a7364ab3d042de13136eb2fd93f9e84d8", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1496843c0eed8a51734332986313792a7364ab3d042de13136eb2fd93f9e84d8"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 80542, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 80541, "scanner": "repobility-threat-engine", "fingerprint": "332551c27bbd79be0d7a6782c9c7b875e082798c6d211c5c906a292f08ced592", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|332551c27bbd79be0d7a6782c9c7b875e082798c6d211c5c906a292f08ced592"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/models/embedConfig.js"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 80540, "scanner": "repobility-threat-engine", "fingerprint": "ea19150eb52cfd574e3445fc8fcaa2f271107b0a63f8fb3b1346c56c68bb2884", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea19150eb52cfd574e3445fc8fcaa2f271107b0a63f8fb3b1346c56c68bb2884"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/utils/constants.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 80539, "scanner": "repobility-threat-engine", "fingerprint": "9f83433a190652f2e2b8116c7b0a95f841d2aeebf7987b152269b6719c9fdf11", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f83433a190652f2e2b8116c7b0a95f841d2aeebf7987b152269b6719c9fdf11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/utils/url/index.js"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 80538, "scanner": "repobility-threat-engine", "fingerprint": "019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 80537, "scanner": "repobility-threat-engine", "fingerprint": "0860afaa27ed05eb31ed1ffa9a1dda8a5469ed8131b1c0e27e72b8ce892c9ba7", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"FAILED TO CREATE PASSWORD RESET TOKEN.\", error.message)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|console.error failed to create password reset token. error.message"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/models/passwordRecovery.js"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 80536, "scanner": "repobility-threat-engine", "fingerprint": "526224eb3e4044b084d9368d834282a4a9b37d6d8b642ec355e460d7419e362d", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"validDeviceToken\", error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|3|console.error validdevicetoken error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/mobile/middleware/index.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 80535, "scanner": "repobility-threat-engine", "fingerprint": "035f4467ae8a2f777550f8943306007fcbf0fe90222639c106e2bd3ce180fb77", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "console.log(`\\x1b[35m[TikTokenTokenizer]\\x1b[0m ${text}`, ...args)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|console.log x1b 35m tiktokentokenizer x1b 0m text ...args"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/utils/tokenizer/index.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 80534, "scanner": "repobility-threat-engine", "fingerprint": "1231d1568fe46b0359a9552e6f5b0080c104928e5ddbfe51869a88207b0f7e54", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1231d1568fe46b0359a9552e6f5b0080c104928e5ddbfe51869a88207b0f7e54"}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 80530, "scanner": "repobility-threat-engine", "fingerprint": "ab687498e34778f6a0eb3d501c7ac1edfd6d5ba61cc1f025c82bb6a3f31e1fdb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ab687498e34778f6a0eb3d501c7ac1edfd6d5ba61cc1f025c82bb6a3f31e1fdb", "aggregated_count": 33}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 80529, "scanner": "repobility-threat-engine", "fingerprint": "149ce4bee522b29a5255a60c96007d112be41e3bb230ce735ee75d5afe66a607", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|149ce4bee522b29a5255a60c96007d112be41e3bb230ce735ee75d5afe66a607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/AiProviders/anthropic/index.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 80528, "scanner": "repobility-threat-engine", "fingerprint": "c3a1e9d53f4b44f64822454f673dd5a489333c0be7dfd01ade6f4052a8d41c1e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3a1e9d53f4b44f64822454f673dd5a489333c0be7dfd01ade6f4052a8d41c1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/utils/tokenizer/index.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 80527, "scanner": "repobility-threat-engine", "fingerprint": "60e6f32c0a9b4f77a7fcff03e11e2a61bf943fd35631cd7947eec265f8495e45", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60e6f32c0a9b4f77a7fcff03e11e2a61bf943fd35631cd7947eec265f8495e45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/utils/extensions/RepoLoader/GithubRepo/RepoLoader/index.js"}, "region": {"startLine": 157}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 80526, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 80519, "scanner": "repobility-threat-engine", "fingerprint": "a1bea99135454c115590ebf156d65d095530b5bf8028c3145ef2fb62b633b568", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a1bea99135454c115590ebf156d65d095530b5bf8028c3145ef2fb62b633b568"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/index.js"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 80518, "scanner": "repobility-threat-engine", "fingerprint": "a9ba919bd8ec86a28c88873d7213675d1d88f4cf826ef704a29c63ffb1a5e42d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9ba919bd8ec86a28c88873d7213675d1d88f4cf826ef704a29c63ffb1a5e42d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/index.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "properties": {"repobilityId": 80517, "scanner": "repobility-threat-engine", "fingerprint": "ade48a0ef3640f4a385a7c274cf93444d0b91b16b370dc43fd18f27c99e88f62", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ade48a0ef3640f4a385a7c274cf93444d0b91b16b370dc43fd18f27c99e88f62"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 317 more): Same pattern found in 317 additional files. Review if needed."}, "properties": {"repobilityId": 80513, "scanner": "repobility-threat-engine", "fingerprint": "a68d1b93e3dc0548ceba3086f45cdc75467335b8979222572aacee6c0e4ee82d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 317 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a68d1b93e3dc0548ceba3086f45cdc75467335b8979222572aacee6c0e4ee82d", "aggregated_count": 317}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 80512, "scanner": "repobility-threat-engine", "fingerprint": "06f971c0701273b4ac5473bda3df6ae279a59a03157c2596e249ded48f210e56", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06f971c0701273b4ac5473bda3df6ae279a59a03157c2596e249ded48f210e56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/resync/index.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 80511, "scanner": "repobility-threat-engine", "fingerprint": "d2afd2f2d8fd5f60d82a763dd13e2e664e6283c89a8219717344f8204a3f3fc9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2afd2f2d8fd5f60d82a763dd13e2e664e6283c89a8219717344f8204a3f3fc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 80510, "scanner": "repobility-threat-engine", "fingerprint": "4ba51f6f8784db30d3085c82c33e5f42cdf2b0e2a5ed304f36fc285944834440", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ba51f6f8784db30d3085c82c33e5f42cdf2b0e2a5ed304f36fc285944834440"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/convertAudioToWav/index.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 80509, "scanner": "repobility-threat-engine", "fingerprint": "582e95fb1cd1f45571bb6352c572a607c2f7ca6b1c7f19818776d3952973dd30", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|582e95fb1cd1f45571bb6352c572a607c2f7ca6b1c7f19818776d3952973dd30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloud-deployments/digitalocean/terraform/main.tf"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `cors` is patch version(s) behind (^2.8.5 -> 2.8.6)"}, "properties": {"repobilityId": 80505, "scanner": "repobility-dependency-currency", "fingerprint": "7e37bc4ebb5e4c48ffaae05415d4e8a5c0e2ba81f8d67ee6255093a9e7528624", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cors", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.6", "correlation_key": "fp|7e37bc4ebb5e4c48ffaae05415d4e8a5c0e2ba81f8d67ee6255093a9e7528624", "current_version": "^2.8.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `adm-zip` is patch version(s) behind (^0.5.16 -> 0.5.17)"}, "properties": {"repobilityId": 80498, "scanner": "repobility-dependency-currency", "fingerprint": "8672ffef65bec2e12a152a5a871a45259c00c86a05a998946003f5ca44346a69", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "adm-zip", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.17", "correlation_key": "fp|8672ffef65bec2e12a152a5a871a45259c00c86a05a998946003f5ca44346a69", "current_version": "^0.5.16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 80606, "scanner": "repobility-journey-contract", "fingerprint": "d9f0c3cef21c78a25a23253b707e3d0939019dfd7909ec0692940a82c5551ede", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|360|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Admin/Agents/SQLConnectorSelection/SQLConnectionModal.jsx"}, "region": {"startLine": 360}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 80605, "scanner": "repobility-journey-contract", "fingerprint": "a796b31a892971ed506bf74d50e27ec30dfd90eaf26b3fc09ad253752c925b0b", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|287|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Admin/Agents/GoogleCalendarSkillPanel/index.jsx"}, "region": {"startLine": 287}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 80604, "scanner": "repobility-journey-contract", "fingerprint": "8b69c14ffc2bb8f562a792089b991841525f7ed73356397a987f1647eab30486", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|278|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Admin/Agents/GMailSkillPanel/index.jsx"}, "region": {"startLine": 278}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 80603, "scanner": "repobility-journey-contract", "fingerprint": "32c61d7ee0dd3ced9df8f2b130f7a3591b65e73a276acddeee10ef3bab41b663", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|16|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/TextToSpeech/OpenAiOptions/index.jsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC005", "level": "error", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 80588, "scanner": "repobility-docker", "fingerprint": "d470a013120fde716ac2d45d994b569a48952619452b4793f3a13a92f3167d72", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "anything-llm", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["SYS_ADMIN"], "correlation_key": "fp|d470a013120fde716ac2d45d994b569a48952619452b4793f3a13a92f3167d72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 80585, "scanner": "repobility-docker", "fingerprint": "c428ea4ca54565e8a475aaada28a2ebce72e0bc59c884a067db6b85ce83ed291", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c428ea4ca54565e8a475aaada28a2ebce72e0bc59c884a067db6b85ce83ed291"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 80584, "scanner": "repobility-docker", "fingerprint": "a99d056841a95b37a36012e5c9b609b73fde384c69f21da8b401e3514fb84278", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a99d056841a95b37a36012e5c9b609b73fde384c69f21da8b401e3514fb84278"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 80582, "scanner": "repobility-docker", "fingerprint": "4202858c43730eb11e5aad9f386d98e58761af2a5bc233c94ee3a1bcb7dba4ab", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4202858c43730eb11e5aad9f386d98e58761af2a5bc233c94ee3a1bcb7dba4ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloud-deployments/openshift/Dockerfile"}, "region": {"startLine": 105}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 80581, "scanner": "repobility-docker", "fingerprint": "6aa9e81d9b8debeafb7e6de8468775398421b3a8aa0b6379c042f1e532b59a7d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6aa9e81d9b8debeafb7e6de8468775398421b3a8aa0b6379c042f1e532b59a7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloud-deployments/openshift/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 80575, "scanner": "repobility-threat-engine", "fingerprint": "3320d0ba68831cf63059e7faeb234c6dee49d76121f7e278a1e70ff6bdf2f2d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Router.post(\"/v/:command\", async (request, response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3320d0ba68831cf63059e7faeb234c6dee49d76121f7e278a1e70ff6bdf2f2d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/index.js"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 80573, "scanner": "repobility-threat-engine", "fingerprint": "8c8729ce875efda9cf50c13a0bd2839ed72518cea34444c27bd28f5bf49d110d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8c8729ce875efda9cf50c13a0bd2839ed72518cea34444c27bd28f5bf49d110d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/embed/index.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 80572, "scanner": "repobility-threat-engine", "fingerprint": "b96df263cbb4bebd248c70c5818bc42c71d109d95073d58bf54499496e8ab4aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b96df263cbb4bebd248c70c5818bc42c71d109d95073d58bf54499496e8ab4aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/chat.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 80571, "scanner": "repobility-threat-engine", "fingerprint": "183e385c580642d49c8629bad16c99544a2776da48de81d1973287d695867c28", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|183e385c580642d49c8629bad16c99544a2776da48de81d1973287d695867c28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/openai/index.js"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 80566, "scanner": "repobility-threat-engine", "fingerprint": "e03f9eb17773173c589c1711148134be5cea18bdadb43ad5fb4f5d29dca821bc", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|server/swagger/index.js|24|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/swagger/index.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 80563, "scanner": "repobility-threat-engine", "fingerprint": "143328b5a9cb4ad53ed2ae4f599eac62e7e555ccddf738500696d7cb60c1df6f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cancelled.delete(filePath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|143328b5a9cb4ad53ed2ae4f599eac62e7e555ccddf738500696d7cb60c1df6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/jobs/embedding-worker.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 80562, "scanner": "repobility-threat-engine", "fingerprint": "b740f57f868126daae164b51f61422c71e04766ed36ee730dedfd0c948056fca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b740f57f868126daae164b51f61422c71e04766ed36ee730dedfd0c948056fca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/document.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 80561, "scanner": "repobility-threat-engine", "fingerprint": "816b153679697179ba86bcaddf825751e96d2febf28d0805cfc4b1a58f19a69b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|816b153679697179ba86bcaddf825751e96d2febf28d0805cfc4b1a58f19a69b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/WorkspaceChat/ChatContainer/PromptInput/LLMSelector/index.jsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 80560, "scanner": "repobility-threat-engine", "fingerprint": "042ead9426d2faa7781a7d062b2fa632f484f0f68f493a3fc62e1b289d498061", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n  SEPARATORS", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|042ead9426d2faa7781a7d062b2fa632f484f0f68f493a3fc62e1b289d498061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/helpers/camelcase.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 80559, "scanner": "repobility-threat-engine", "fingerprint": "db105d086e8d2ceecdcb28648abbe6cf03de8f5b6fd48ed15db3bc74891f9481", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n  THOUGHT_KEYWORDS", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|db105d086e8d2ceecdcb28648abbe6cf03de8f5b6fd48ed15db3bc74891f9481"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/jobs/helpers/index.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 80558, "scanner": "repobility-threat-engine", "fingerprint": "3606056f41c5eabc1723d86231630f6c2d49be7af7a2f82bec65f3fa63324bcd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n  THOUGHT_KEYWORDS", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3606056f41c5eabc1723d86231630f6c2d49be7af7a2f82bec65f3fa63324bcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/ThoughtContainer/index.jsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 80533, "scanner": "repobility-threat-engine", "fingerprint": "721e1dc1eaa598af28f99541aba7b04f8a9ceeeeea228d04268e34acc3121065", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((keyword) => `<${keyword}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|721e1dc1eaa598af28f99541aba7b04f8a9ceeeeea228d04268e34acc3121065"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/ThoughtContainer/index.jsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 80532, "scanner": "repobility-threat-engine", "fingerprint": "b23fda877c2aea46faa7c6e9a80ed23076e7976de7e14031e124ada9ca701637", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n      (item) => `${item.folderName}/${item.name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b23fda877c2aea46faa7c6e9a80ed23076e7976de7e14031e124ada9ca701637"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Modals/ManageWorkspace/Documents/index.jsx"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 80531, "scanner": "repobility-threat-engine", "fingerprint": "39ec8c15d8ab98911f40894b866f9dfbc86f77f0a385b0aa86e347c35f0bbba7", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((s) => `  - ${s}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|39ec8c15d8ab98911f40894b866f9dfbc86f77f0a385b0aa86e347c35f0bbba7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/utils/extensions/RepoLoader/GitlabRepo/index.js"}, "region": {"startLine": 233}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 80525, "scanner": "repobility-threat-engine", "fingerprint": "9d5b89183e078713f0183205f1ae2fa0f9d328323512632a5e4e0d8b2465aefa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(uri", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d5b89183e078713f0183205f1ae2fa0f9d328323512632a5e4e0d8b2465aefa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/aibitat/plugins/sql-agent/SQLConnectors/utils.js"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 80524, "scanner": "repobility-threat-engine", "fingerprint": "873d3b0da17d09b9dd58457f719aaa4216efd94b421e22c0ab1ecfaa4f61edf2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|873d3b0da17d09b9dd58457f719aaa4216efd94b421e22c0ab1ecfaa4f61edf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/locales/findUnusedTranslations.mjs"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 80523, "scanner": "repobility-threat-engine", "fingerprint": "af68dab2eddd4ed6882ad10cfdc190dd72e0786713e24f8c048937447bd42f55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af68dab2eddd4ed6882ad10cfdc190dd72e0786713e24f8c048937447bd42f55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/utils/WhisperProviders/ffmpeg/index.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 80516, "scanner": "repobility-threat-engine", "fingerprint": "b42a4a1631821d2ccc6639ceba0d12192d3dd02742d4681db57afcfd68c082da", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b42a4a1631821d2ccc6639ceba0d12192d3dd02742d4681db57afcfd68c082da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processLink/helpers/htmlToMarkdown.js"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 80515, "scanner": "repobility-threat-engine", "fingerprint": "7100e9d7c81f330ca61ef3be867c62cf87b4898ab6f37554e570444e1f5ff62d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7100e9d7c81f330ca61ef3be867c62cf87b4898ab6f37554e570444e1f5ff62d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processLink/convert/generic.js"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 80514, "scanner": "repobility-threat-engine", "fingerprint": "752ec30c0aeb65357d9133980638c0375cdd4587784c466fdb6f9f5a08a97734", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|752ec30c0aeb65357d9133980638c0375cdd4587784c466fdb6f9f5a08a97734"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 80479, "scanner": "repobility-supply-chain", "fingerprint": "f7e3276edd7f72ec4aca97d6c725ad4c327556b4e0da71f1369acfd814a9be8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7e3276edd7f72ec4aca97d6c725ad4c327556b4e0da71f1369acfd814a9be8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sponsors.yaml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `stefanzweifel/git-auto-commit-action` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 80478, "scanner": "repobility-supply-chain", "fingerprint": "b4a08e96ee430e3614479fa0721d99ff405468c204bd77fb9b6d5ac4f06abdf0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4a08e96ee430e3614479fa0721d99ff405468c204bd77fb9b6d5ac4f06abdf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sponsors.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `JamesIves/github-sponsors-readme-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 80477, "scanner": "repobility-supply-chain", "fingerprint": "bd29eccc9a2fd64737fc44d3dbe56f52c307bf2d9b32ae4aa2334e14484724e6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd29eccc9a2fd64737fc44d3dbe56f52c307bf2d9b32ae4aa2334e14484724e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sponsors.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 80476, "scanner": "repobility-supply-chain", "fingerprint": "56cf45baa3717f88043888980cfafb383f948da31c74eb15a9425be5cc5ae720", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56cf45baa3717f88043888980cfafb383f948da31c74eb15a9425be5cc5ae720"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sponsors.yaml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 80475, "scanner": "repobility-supply-chain", "fingerprint": "01e3d6a2ad60af6d6ad54f8d093c1d8016e17690c882a7d74dc6d53156e37bc9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01e3d6a2ad60af6d6ad54f8d093c1d8016e17690c882a7d74dc6d53156e37bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-push-image.yaml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 80474, "scanner": "repobility-supply-chain", "fingerprint": "c85654fdf2a6d81dcf692ed972c5d436f490efae9f9ec83e78567de875d0c5f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c85654fdf2a6d81dcf692ed972c5d436f490efae9f9ec83e78567de875d0c5f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 80473, "scanner": "repobility-supply-chain", "fingerprint": "fb70fae2201f2e9ead959623a7acf36be17702cc32795fae34286c5128fd1a81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb70fae2201f2e9ead959623a7acf36be17702cc32795fae34286c5128fd1a81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yaml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 80472, "scanner": "repobility-supply-chain", "fingerprint": "5c5ad0d86f7e534108a4fa4a11c9ed6eb04e42b833f8f53850502993341e7a0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c5ad0d86f7e534108a4fa4a11c9ed6eb04e42b833f8f53850502993341e7a0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yaml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 80471, "scanner": "repobility-supply-chain", "fingerprint": "3bbf544b70ea30874d889d93593a807efcab8ca9d8a0fc859539e4e056355707", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3bbf544b70ea30874d889d93593a807efcab8ca9d8a0fc859539e4e056355707"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yaml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 80470, "scanner": "repobility-supply-chain", "fingerprint": "6af383f0ffcef67cec0d1c01762abe6ed3a2e00a4eff9aa1e6d0f10944f56602", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6af383f0ffcef67cec0d1c01762abe6ed3a2e00a4eff9aa1e6d0f10944f56602"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 80469, "scanner": "repobility-supply-chain", "fingerprint": "3819b8af8a89f732f458d2e6270ba296d00eae96201cfabfb711d577ecadc734", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3819b8af8a89f732f458d2e6270ba296d00eae96201cfabfb711d577ecadc734"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yaml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 80468, "scanner": "repobility-supply-chain", "fingerprint": "3d769826e1ba3497120d0365965f49b0ea7b4b59bef7b4880518512078df9c14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d769826e1ba3497120d0365965f49b0ea7b4b59bef7b4880518512078df9c14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yaml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 80467, "scanner": "repobility-supply-chain", "fingerprint": "53f66ad9782550824668df8aa6e622cebc8be19fd9bf964139d17389693fcd8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|53f66ad9782550824668df8aa6e622cebc8be19fd9bf964139d17389693fcd8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yaml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 80466, "scanner": "repobility-supply-chain", "fingerprint": "db52a7a443fc6cb01f6b4e23888f17cad223e7881809a9b234b5fe726d435368", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db52a7a443fc6cb01f6b4e23888f17cad223e7881809a9b234b5fe726d435368"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 80465, "scanner": "repobility-supply-chain", "fingerprint": "93fd8feb3e8e0640f51924d9506468acaf064355a619aac06f2f7f5550de94c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93fd8feb3e8e0640f51924d9506468acaf064355a619aac06f2f7f5550de94c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 80462, "scanner": "repobility-supply-chain", "fingerprint": "519b82bc87bbb2a7391ea8a8a9dbbfae1893302e5b714ade49e0e578cc362c85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|519b82bc87bbb2a7391ea8a8a9dbbfae1893302e5b714ade49e0e578cc362c85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-push-image-semver.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 80461, "scanner": "repobility-supply-chain", "fingerprint": "0cfe940474fb7430ad769009cd3ec72faaac2ee739baa536658649f9d69aa332", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cfe940474fb7430ad769009cd3ec72faaac2ee739baa536658649f9d69aa332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-translations.yaml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 80460, "scanner": "repobility-supply-chain", "fingerprint": "e344c6be8bd998c56f3d98aca12b029ed5b864a6690162e606438c3447843376", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e344c6be8bd998c56f3d98aca12b029ed5b864a6690162e606438c3447843376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-translations.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 80459, "scanner": "repobility-supply-chain", "fingerprint": "25445342b098e5711fe2cb295f423c7fb4a8632c2084531d7d8a6aff1374b82d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25445342b098e5711fe2cb295f423c7fb4a8632c2084531d7d8a6aff1374b82d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-package-versions.yaml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 80458, "scanner": "repobility-supply-chain", "fingerprint": "85a33b7c8b15f8ae3aac6cc6374c606c760c1acd7eb071e8eb1a20893c81e5e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85a33b7c8b15f8ae3aac6cc6374c606c760c1acd7eb071e8eb1a20893c81e5e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-package-versions.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 80457, "scanner": "repobility-supply-chain", "fingerprint": "cb19e4e55964153365ab598855b687c73ccbd5937c005280103694ae2682ac24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb19e4e55964153365ab598855b687c73ccbd5937c005280103694ae2682ac24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-qa-tag.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ubuntu:noble-20251013` not pinned by digest"}, "properties": {"repobilityId": 80456, "scanner": "repobility-supply-chain", "fingerprint": "563693027571da15602023141490f6eb1baa421d597de8b2e498a746d7755f45", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|563693027571da15602023141490f6eb1baa421d597de8b2e498a746d7755f45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloud-deployments/openshift/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `mintplexlabs/anythingllm:render` not pinned by digest"}, "properties": {"repobilityId": 80455, "scanner": "repobility-supply-chain", "fingerprint": "001189962b85f7d1fc40e3fe2896b6ac733e6014f5b67aa50b5efab0428356fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|001189962b85f7d1fc40e3fe2896b6ac733e6014f5b67aa50b5efab0428356fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloud-deployments/huggingface-spaces/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ubuntu:noble-20251013` not pinned by digest"}, "properties": {"repobilityId": 80454, "scanner": "repobility-supply-chain", "fingerprint": "f095917d177b41367592731d5da6ab94662b3112ba7efe1eacab92a10c8e9106", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f095917d177b41367592731d5da6ab94662b3112ba7efe1eacab92a10c8e9106"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `epub2` pulled from URL/Git"}, "properties": {"repobilityId": 80453, "scanner": "repobility-supply-chain", "fingerprint": "873368fccc0967cafb13e853294f149e568322ad66c2a009e4b1bda0d05f036d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|873368fccc0967cafb13e853294f149e568322ad66c2a009e4b1bda0d05f036d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /workspace/:slug/delete-parsed-files has no auth"}, "properties": {"repobilityId": 80430, "scanner": "repobility-route-auth", "fingerprint": "2cb33f23952fc39c1fed7b2d3cd89b47d76b0d3e53ac68e91698fc8356579482", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2cb33f23952fc39c1fed7b2d3cd89b47d76b0d3e53ac68e91698fc8356579482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/workspacesParsedFiles.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /document/move-files has no auth"}, "properties": {"repobilityId": 80429, "scanner": "repobility-route-auth", "fingerprint": "ff36a672e361fa9faa8988eec53d200a4174f900a2fa5c57d2902c97ee2ffd8f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ff36a672e361fa9faa8988eec53d200a4174f900a2fa5c57d2902c97ee2ffd8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/document.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /document/create-folder has no auth"}, "properties": {"repobilityId": 80428, "scanner": "repobility-route-auth", "fingerprint": "3ace83089a51e5651029877ed7f048b46d2ff20e1e2f0d3fa6deaa64e942eadc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3ace83089a51e5651029877ed7f048b46d2ff20e1e2f0d3fa6deaa64e942eadc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/document.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /agent-skills/whitelist/add has no auth"}, "properties": {"repobilityId": 80427, "scanner": "repobility-route-auth", "fingerprint": "59ba385566fb3e89d4b5ac97b988e5b43a3d3197e62e70e858c8e0b88ef0704e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|59ba385566fb3e89d4b5ac97b988e5b43a3d3197e62e70e858c8e0b88ef0704e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/agentSkillWhitelist.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /embed/chats/:chatId has no auth"}, "properties": {"repobilityId": 80426, "scanner": "repobility-route-auth", "fingerprint": "d8e4f0962bad71002caa93e33e30509949e8ef06ea4efb6456f92b50bc8d9692", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d8e4f0962bad71002caa93e33e30509949e8ef06ea4efb6456f92b50bc8d9692"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/embedManagement.js"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /embed/chats has no auth"}, "properties": {"repobilityId": 80425, "scanner": "repobility-route-auth", "fingerprint": "33e2f122e0d96ec39f0226e52d2d835932a39577612cd2688fefb177ce4f221f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|33e2f122e0d96ec39f0226e52d2d835932a39577612cd2688fefb177ce4f221f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/embedManagement.js"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /embed/:embedId has no auth"}, "properties": {"repobilityId": 80424, "scanner": "repobility-route-auth", "fingerprint": "6548860094226fb679f48c494ecad9116f47c8df25bb0190b5e0217eb8bfe04b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6548860094226fb679f48c494ecad9116f47c8df25bb0190b5e0217eb8bfe04b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/embedManagement.js"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /embed/update/:embedId has no auth"}, "properties": {"repobilityId": 80423, "scanner": "repobility-route-auth", "fingerprint": "63e8d7cd59b88b99d035dbbf6fd5aa5562e1347706793bc2d36cb4fdd8012f97", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|63e8d7cd59b88b99d035dbbf6fd5aa5562e1347706793bc2d36cb4fdd8012f97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/embedManagement.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /embeds/new has no auth"}, "properties": {"repobilityId": 80422, "scanner": "repobility-route-auth", "fingerprint": "5038f84292aeb19358f00b73d4d2ecdd6aba1c1f30541c2c15056eda48aa80c1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5038f84292aeb19358f00b73d4d2ecdd6aba1c1f30541c2c15056eda48aa80c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/embedManagement.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /invite/:code has no auth"}, "properties": {"repobilityId": 80421, "scanner": "repobility-route-auth", "fingerprint": "d8bee03229d71b63210690b11378a24958542b82b022675d409aac667e6e00d7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d8bee03229d71b63210690b11378a24958542b82b022675d409aac667e6e00d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/invite.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /ext/paperless-ngx has no auth"}, "properties": {"repobilityId": 80420, "scanner": "repobility-route-auth", "fingerprint": "a43d41b8038f95bfdf5219fd53a44c936e7d8e812f6980db86fac34e46ca2b97", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a43d41b8038f95bfdf5219fd53a44c936e7d8e812f6980db86fac34e46ca2b97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /ext/obsidian/vault has no auth"}, "properties": {"repobilityId": 80419, "scanner": "repobility-route-auth", "fingerprint": "6a1d9f61571d00d1ffb416a5c96a6dead4bc4730a77d9b6a0990723aacaaef36", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6a1d9f61571d00d1ffb416a5c96a6dead4bc4730a77d9b6a0990723aacaaef36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /ext/drupalwiki has no auth"}, "properties": {"repobilityId": 80418, "scanner": "repobility-route-auth", "fingerprint": "91d51dc1884e41b7e25c8f4e5784d27cc61c9e523d163ac0d0b87d997671d795", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|91d51dc1884e41b7e25c8f4e5784d27cc61c9e523d163ac0d0b87d997671d795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /ext/confluence has no auth"}, "properties": {"repobilityId": 80417, "scanner": "repobility-route-auth", "fingerprint": "f7c3306613c3c3c6e6d6e74ada3ea3613734c4aca58ff39e2340c12c2b854b7f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f7c3306613c3c3c6e6d6e74ada3ea3613734c4aca58ff39e2340c12c2b854b7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /ext/website-depth has no auth"}, "properties": {"repobilityId": 80416, "scanner": "repobility-route-auth", "fingerprint": "766c4b7e9ea2a711bc37d0aa81d0a5e5a80c96eacc0d731c7747df7519dfab3b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|766c4b7e9ea2a711bc37d0aa81d0a5e5a80c96eacc0d731c7747df7519dfab3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /ext/youtube-transcript has no auth"}, "properties": {"repobilityId": 80415, "scanner": "repobility-route-auth", "fingerprint": "ae35866ef9a4e8374cef71ae5b4bf89049428dceec70167ee6e32234444105ab", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ae35866ef9a4e8374cef71ae5b4bf89049428dceec70167ee6e32234444105ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /ext/:repo_platform-repo/branches has no auth"}, "properties": {"repobilityId": 80414, "scanner": "repobility-route-auth", "fingerprint": "14c7fec16c5cb2d42f6445f54df58a560b3795df7bb1ff1b1ae135242781aefc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|14c7fec16c5cb2d42f6445f54df58a560b3795df7bb1ff1b1ae135242781aefc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /ext/:repo_platform-repo has no auth"}, "properties": {"repobilityId": 80413, "scanner": "repobility-route-auth", "fingerprint": "31e623e7d31a6de8e6b6f0a5290dd082980a06416a408a76668841b7c2600eae", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|31e623e7d31a6de8e6b6f0a5290dd082980a06416a408a76668841b7c2600eae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /ext/resync-source-document has no auth"}, "properties": {"repobilityId": 80412, "scanner": "repobility-route-auth", "fingerprint": "aaaea12c00c2d674447739473bd4baa88dd8ed074aed37d415c34f0f636bec9f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|aaaea12c00c2d674447739473bd4baa88dd8ed074aed37d415c34f0f636bec9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/extensions/index.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /process-raw-text has no auth"}, "properties": {"repobilityId": 80411, "scanner": "repobility-route-auth", "fingerprint": "5055b9bc70772ac97360cd86b6dc4c9fd981c08d48e691bf633bae8e086181b8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5055b9bc70772ac97360cd86b6dc4c9fd981c08d48e691bf633bae8e086181b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/index.js"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /util/convert-audio-to-wav has no auth"}, "properties": {"repobilityId": 80410, "scanner": "repobility-route-auth", "fingerprint": "5a3fa7e216c130d40540d8feb3a6e9d28de37a4176f3421cd1ec76de81c048ef", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5a3fa7e216c130d40540d8feb3a6e9d28de37a4176f3421cd1ec76de81c048ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/index.js"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /util/get-link has no auth"}, "properties": {"repobilityId": 80409, "scanner": "repobility-route-auth", "fingerprint": "24e1dec522d26f9f30390759a7bb16297bf789b6d174885c56c5b3fa5987fb8c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|24e1dec522d26f9f30390759a7bb16297bf789b6d174885c56c5b3fa5987fb8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/index.js"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /process-link has no auth"}, "properties": {"repobilityId": 80408, "scanner": "repobility-route-auth", "fingerprint": "78be3103e0b364d28e988ab1e46e41742c85f9632b2f25d281d9ba87fa7c8e78", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|78be3103e0b364d28e988ab1e46e41742c85f9632b2f25d281d9ba87fa7c8e78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/index.js"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /parse has no auth"}, "properties": {"repobilityId": 80407, "scanner": "repobility-route-auth", "fingerprint": "c28c4c9bedb9be2c49647e633c456ce187d4aafe8866a02ea518cb3b55fc29d8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c28c4c9bedb9be2c49647e633c456ce187d4aafe8866a02ea518cb3b55fc29d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/index.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /process has no auth"}, "properties": {"repobilityId": 80406, "scanner": "repobility-route-auth", "fingerprint": "398a8c8b60501d9e4b3e70f97e0874e3bef85cd4394d6027211cca570e4ecd0f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|398a8c8b60501d9e4b3e70f97e0874e3bef85cd4394d6027211cca570e4ecd0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/index.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 80590, "scanner": "gitleaks", "fingerprint": "6d5675e14276c0c15fff9f60d788653f31608e7c069c3961526af5dfbb74823f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "PINECONE_API_KEY=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|2|pinecone_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/vectorDbProviders/pinecone/PINECONE_SETUP.md"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 80557, "scanner": "repobility-threat-engine", "fingerprint": "71ed927d4a663fa4cb25487156b14a966c3b53714df5023280fc1cab809e0d1d", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://username:password@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|2|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/VectorDBSelection/PGVectorOptions/index.jsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 80522, "scanner": "repobility-threat-engine", "fingerprint": "f4dd9863761456cbd893ab7daaa83bf3e0c07aaf298da2c90723897a5214c900", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(pkg", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f4dd9863761456cbd893ab7daaa83bf3e0c07aaf298da2c90723897a5214c900"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/boot/patchSdkTimeouts.js"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 80521, "scanner": "repobility-threat-engine", "fingerprint": "091cfec2821c88eefaaea0ac7a1d9cf09ba61aeabbf5af62c7b5707937ff8fbe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(this", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|091cfec2821c88eefaaea0ac7a1d9cf09ba61aeabbf5af62c7b5707937ff8fbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/agents/imported.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 80520, "scanner": "repobility-threat-engine", "fingerprint": "4c00e140edfb3f5cd14a266c115fe03e6c74885bb4277c289402a60ccc077a3a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(SUPPORTED_FILETYPE_CONVERTERS", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c00e140edfb3f5cd14a266c115fe03e6c74885bb4277c289402a60ccc077a3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "collector/processSingleFile/index.js"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED123", "level": "error", "message": {"text": "Trojan Source bidi character (LRM) in source"}, "properties": {"repobilityId": 80480, "scanner": "repobility-supply-chain", "fingerprint": "d670b3822e7c5967f7d02a229d31f6b8d96f2451e4927f8a409643b7ebc4ce26", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/public/embed/anythingllm-chat-widget.min.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ALLM_RW_PACKAGES` on a `pull_request` trigger"}, "properties": {"repobilityId": 80464, "scanner": "repobility-supply-chain", "fingerprint": "e04a93f3dc2d992b07fbc302b844d82e13f2300024e996fafb529ce32df50ddb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e04a93f3dc2d992b07fbc302b844d82e13f2300024e996fafb529ce32df50ddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cleanup-qa-tag.yaml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ALLM_RW_PACKAGES` on a `pull_request` trigger"}, "properties": {"repobilityId": 80463, "scanner": "repobility-supply-chain", "fingerprint": "d809a8416dbcf4ccc7dc23142356f100eaad1881d4fefd81c37c0f4579370688", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d809a8416dbcf4ccc7dc23142356f100eaad1881d4fefd81c37c0f4579370688"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cleanup-qa-tag.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/preferences"}, "properties": {"repobilityId": 80452, "scanner": "repobility-route-auth", "fingerprint": "525a543e03326c5645bf7ca6bc2b18315efde3ea0e498c31eb2cabd40084d3c9", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|525a543e03326c5645bf7ca6bc2b18315efde3ea0e498c31eb2cabd40084d3c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/admin/index.js"}, "region": {"startLine": 718}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/workspace-chats"}, "properties": {"repobilityId": 80451, "scanner": "repobility-route-auth", "fingerprint": "21d51d599b19ae17f2a0bd2abc7864038fec0910242a60fb4961024ac65ac3a5", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|21d51d599b19ae17f2a0bd2abc7864038fec0910242a60fb4961024ac65ac3a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/admin/index.js"}, "region": {"startLine": 662}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/workspaces/:workspaceSlug/manage-users"}, "properties": {"repobilityId": 80450, "scanner": "repobility-route-auth", "fingerprint": "8cebcfc564a8fcd57f729f04d60d30eb65dfd02a31c64154b7cde466071b4b06", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|8cebcfc564a8fcd57f729f04d60d30eb65dfd02a31c64154b7cde466071b4b06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/admin/index.js"}, "region": {"startLine": 547}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/workspaces/:workspaceId/update-users"}, "properties": {"repobilityId": 80449, "scanner": "repobility-route-auth", "fingerprint": "9ef39881e725ad63253aa0f4da644e050695c7236d6e72baae6d18f114bfa61a", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|9ef39881e725ad63253aa0f4da644e050695c7236d6e72baae6d18f114bfa61a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/admin/index.js"}, "region": {"startLine": 480}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /v1/admin/invite/:id"}, "properties": {"repobilityId": 80448, "scanner": "repobility-route-auth", "fingerprint": "ab321730bcf49f8bd0acefd387a02f80008ca376f86c51af6ca24af3909eed0f", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|ab321730bcf49f8bd0acefd387a02f80008ca376f86c51af6ca24af3909eed0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/admin/index.js"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/invite/new"}, "properties": {"repobilityId": 80447, "scanner": "repobility-route-auth", "fingerprint": "7055e307305e07fb11488973b41b0296d28fb05bc5a27807462459e300859ee6", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|7055e307305e07fb11488973b41b0296d28fb05bc5a27807462459e300859ee6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/admin/index.js"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /v1/admin/users/:id"}, "properties": {"repobilityId": 80446, "scanner": "repobility-route-auth", "fingerprint": "34350b5fe18ed3459b5fd8e46c620b39029aa7ef7f227f76bec2326e7026ad4a", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|34350b5fe18ed3459b5fd8e46c620b39029aa7ef7f227f76bec2326e7026ad4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/admin/index.js"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/users/:id"}, "properties": {"repobilityId": 80445, "scanner": "repobility-route-auth", "fingerprint": "36dab22a3eaa6a99988b254ef97647cfb8517e72e3918663a4cf2e2e99cb4d5e", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|36dab22a3eaa6a99988b254ef97647cfb8517e72e3918663a4cf2e2e99cb4d5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/admin/index.js"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /v1/admin/users/new"}, "properties": {"repobilityId": 80444, "scanner": "repobility-route-auth", "fingerprint": "2501e6654c77f649766ddd586b5d100637dafb325686048b5b804cdbfc34492e", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|2501e6654c77f649766ddd586b5d100637dafb325686048b5b804cdbfc34492e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/api/admin/index.js"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/agent-skills/outlook/revoke"}, "properties": {"repobilityId": 80443, "scanner": "repobility-route-auth", "fingerprint": "a02d75ae8b33e9bd3bad4a5d6065e05d6ae4681ca11c4b46c2a90d59c6254864", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|a02d75ae8b33e9bd3bad4a5d6065e05d6ae4681ca11c4b46c2a90d59c6254864"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/utils/outlookAgentUtils.js"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/agent-skills/outlook/auth-url"}, "properties": {"repobilityId": 80442, "scanner": "repobility-route-auth", "fingerprint": "2e192ac65f26944c439c0411a3beb0d7daad0185a5bc2524a1309b5860ecbae7", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|2e192ac65f26944c439c0411a3beb0d7daad0185a5bc2524a1309b5860ecbae7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/utils/outlookAgentUtils.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /admin/delete-api-key/:id"}, "properties": {"repobilityId": 80441, "scanner": "repobility-route-auth", "fingerprint": "7115db7a92fd619b8642a03994f4e626a5272c1bd2dbbb4b663998cb1e2cd9e5", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|7115db7a92fd619b8642a03994f4e626a5272c1bd2dbbb4b663998cb1e2cd9e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 543}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/generate-api-key"}, "properties": {"repobilityId": 80440, "scanner": "repobility-route-auth", "fingerprint": "acead5fddea5bf2951c18dfbcd6e8456bfdba8a141869f69deb9a210ad761fb6", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|acead5fddea5bf2951c18dfbcd6e8456bfdba8a141869f69deb9a210ad761fb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 519}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/system-preferences"}, "properties": {"repobilityId": 80439, "scanner": "repobility-route-auth", "fingerprint": "0e15d83fbfab5907e4cd8db0b5c80cfd18fc119bcf135cc1c7fcf11c5b21f98f", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|0e15d83fbfab5907e4cd8db0b5c80cfd18fc119bcf135cc1c7fcf11c5b21f98f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 462}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /admin/workspaces/:id"}, "properties": {"repobilityId": 80438, "scanner": "repobility-route-auth", "fingerprint": "f6d0aee0e6a6b49f71c1a41fe07a7f3e81ecf109a1a5c537ff32fd2e91ca1a4f", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|f6d0aee0e6a6b49f71c1a41fe07a7f3e81ecf109a1a5c537ff32fd2e91ca1a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 295}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/workspaces/:workspaceId/update-users"}, "properties": {"repobilityId": 80437, "scanner": "repobility-route-auth", "fingerprint": "9deb2643f14783a5ff340b96a39bdc94788f82bd32767486c3bd529b6be23841", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|9deb2643f14783a5ff340b96a39bdc94788f82bd32767486c3bd529b6be23841"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/workspaces/new"}, "properties": {"repobilityId": 80436, "scanner": "repobility-route-auth", "fingerprint": "ca67b52af3ecfed827e7e9546e0f6c7bf64ffc373c89bc459a2567d557560645", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|ca67b52af3ecfed827e7e9546e0f6c7bf64ffc373c89bc459a2567d557560645"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /admin/invite/:id"}, "properties": {"repobilityId": 80435, "scanner": "repobility-route-auth", "fingerprint": "3e061cd71d43feecdf9edb7cf6c27b0da18a2f4b74ca2877811b7d07cfc9e6d0", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|3e061cd71d43feecdf9edb7cf6c27b0da18a2f4b74ca2877811b7d07cfc9e6d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/invite/new"}, "properties": {"repobilityId": 80434, "scanner": "repobility-route-auth", "fingerprint": "d3a85ca7b6912e264dfc462d9ecc36d9bf629034d782857000362ea630932ea7", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|d3a85ca7b6912e264dfc462d9ecc36d9bf629034d782857000362ea630932ea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /admin/user/:id"}, "properties": {"repobilityId": 80433, "scanner": "repobility-route-auth", "fingerprint": "cabcd9f016b0acb73cce56b55250eaac3e5659b391265ad531d971611ec6dd4f", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|cabcd9f016b0acb73cce56b55250eaac3e5659b391265ad531d971611ec6dd4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/user/:id"}, "properties": {"repobilityId": 80432, "scanner": "repobility-route-auth", "fingerprint": "4516b744a6496e260bf4ef0b44a2b7f06e416b0ae989d15d6fda3d870b8f2c4f", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|4516b744a6496e260bf4ef0b44a2b7f06e416b0ae989d15d6fda3d870b8f2c4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/users/new"}, "properties": {"repobilityId": 80431, "scanner": "repobility-route-auth", "fingerprint": "7e41bc6c8cdaf2fa4aeb45dabf4c441af6106d96170a2e39203b711fd353f3ea", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|7e41bc6c8cdaf2fa4aeb45dabf4c441af6106d96170a2e39203b711fd353f3ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/endpoints/admin.js"}, "region": {"startLine": 52}}}]}]}]}