{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "ADD can fetch remote URLs without checksum verification. This makes builds dependent on mutable network content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/398"}, "properties": {"repository": "SonarSource/sonarqube-mcp-server", "repoUrl": "https://github.com/SonarSource/sonarqube-mcp-server.git", "branch": "master"}, "results": [{"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 23179, "scanner": "repobility-threat-engine", "fingerprint": "4ef97d80f1a8dad18a4695c1648c143c1d290f540796b99d2dc74390151b772b", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOG.warn(\"Deprecated header SONARQUBE_TOKEN used from \" + request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4ef97d80f1a8dad18a4695c1648c143c1d290f540796b99d2dc74390151b772b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/org/sonarsource/sonarqube/mcp/authentication/AuthenticationFilter.java"}, "region": {"startLine": 174}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 23178, "scanner": "repobility-threat-engine", "fingerprint": "5aad2a2966a5bef606684d5588ef7ceb073715e3a681df149d53f0aed14c9153", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOG.debug(\"HTTP client user agent: \" + user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5aad2a2966a5bef606684d5588ef7ceb073715e3a681df149d53f0aed14c9153"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/org/sonarsource/sonarqube/mcp/http/HttpClientProvider.java"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 23177, "scanner": "repobility-threat-engine", "fingerprint": "abab1bb02273538fffd044c1cd88129289ca0f14508f278c4d1012e46edbe895", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOG.debug(\"Rejecting unsupported method: \" + request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|abab1bb02273538fffd044c1cd88129289ca0f14508f278c4d1012e46edbe895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/org/sonarsource/sonarqube/mcp/transport/PerRequestToolFilteringHandler.java"}, "region": {"startLine": 100}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 13055, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 13054, "scanner": "repobility-docker", "fingerprint": "1b900e212d56907b721e46ebdc9ca70c6ac6c53241541e716942ec6a92debb0a", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1b900e212d56907b721e46ebdc9ca70c6ac6c53241541e716942ec6a92debb0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 13052, "scanner": "repobility-threat-engine", "fingerprint": "ff0f4ede0d7a41ce7f4b9cfec5175025ec0aeaffe88cfab6ba505c6b47b66e38", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|8|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/org/sonarsource/sonarqube/mcp/configuration/McpServerLaunchConfiguration.java"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23176, "scanner": "repobility-threat-engine", "fingerprint": "85cad7ad7d78d68a87bd5fb258b600d2153ffe1120b54bce6f893119698bfd61", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|85cad7ad7d78d68a87bd5fb258b600d2153ffe1120b54bce6f893119698bfd61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/org/sonarsource/sonarqube/mcp/configuration/McpServerLaunchConfiguration.java"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23175, "scanner": "repobility-threat-engine", "fingerprint": "60071ae2889c6f89c4c8481af37b826146164ce396467c1af1d2879dab08d3f3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60071ae2889c6f89c4c8481af37b826146164ce396467c1af1d2879dab08d3f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/org/sonarsource/sonarqube/mcp/serverapi/ServerApiHelper.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23174, "scanner": "repobility-threat-engine", "fingerprint": "a3038b55d0212b086d4cca773e4e9123eb4d08832b62fe248478b6f413800646", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3038b55d0212b086d4cca773e4e9123eb4d08832b62fe248478b6f413800646"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build.gradle.kts"}, "region": {"startLine": 215}}}]}, {"ruleId": "SEC002", "level": "error", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 13053, "scanner": "repobility-threat-engine", "fingerprint": "35638fe8d2fdd34799eab7756563770261f1b03a4b7e26dd95a800046870e395", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.6 bits) \u2014 likely real secret", "evidence": {"match": "API_KEY = \"<redacted>\"", "reason": "High entropy value (4.6 bits) \u2014 likely real secret", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|3|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/org/sonarsource/sonarqube/mcp/analytics/AnalyticsClient.java"}, "region": {"startLine": 35}}}]}]}]}