{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-q34m-jh98-gwm2", "name": "werkzeug: GHSA-q34m-jh98-gwm2", "shortDescription": {"text": "werkzeug: GHSA-q34m-jh98-gwm2"}, "fullDescription": {"text": "Werkzeug possible resource exhaustion when parsing file data in forms"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hgf8-39gv-g3f2", "name": "werkzeug: GHSA-hgf8-39gv-g3f2", "shortDescription": {"text": "werkzeug: GHSA-hgf8-39gv-g3f2"}, "fullDescription": {"text": "Werkzeug safe_join() allows Windows special device names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f9vj-2wh5-fj8j", "name": "werkzeug: GHSA-f9vj-2wh5-fj8j", "shortDescription": {"text": "werkzeug: GHSA-f9vj-2wh5-fj8j"}, "fullDescription": {"text": "Werkzeug safe_join not safe on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-87hc-h4r5-73f7", "name": "werkzeug: GHSA-87hc-h4r5-73f7", "shortDescription": {"text": "werkzeug: GHSA-87hc-h4r5-73f7"}, "fullDescription": {"text": " Werkzeug safe_join() allows Windows special device names with compound extensions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-29vq-49wr-vm6x", "name": "werkzeug: GHSA-29vq-49wr-vm6x", "shortDescription": {"text": "werkzeug: GHSA-29vq-49wr-vm6x"}, "fullDescription": {"text": " Werkzeug safe_join() allows Windows special device names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6w46-j5rx-g56g", "name": "pytest: GHSA-6w46-j5rx-g56g", "shortDescription": {"text": "pytest: GHSA-6w46-j5rx-g56g"}, "fullDescription": {"text": "pytest has vulnerable tmpdir handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r73j-pqj5-w3x7", "name": "pillow: GHSA-r73j-pqj5-w3x7", "shortDescription": {"text": "pillow: GHSA-r73j-pqj5-w3x7"}, "fullDescription": {"text": "Pillow has a PDF Parsing Trailer Infinite Loop (DoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "MINED124", "name": "requirements.txt: `pytest-xdist` has no version pin", "shortDescription": {"text": "requirements.txt: `pytest-xdist` has no version pin"}, "fullDescription": {"text": "Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-5239-wwwm-4pmq", "name": "pygments: GHSA-5239-wwwm-4pmq", "shortDescription": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "fullDescription": {"text": "Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-68rp-wp8r-4726", "name": "flask: GHSA-68rp-wp8r-4726", "shortDescription": {"text": "flask: GHSA-68rp-wp8r-4726"}, "fullDescription": {"text": "Flask session does not add `Vary: Cookie` header when accessed in some ways"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `__str__` has cognitive complexity 10 (SonarSource scale). Cognitive compl", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `__str__` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all w"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 10."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `playwright` is minor version(s) behind (1.59.0 -> 1.60.0)", "shortDescription": {"text": "Python package `playwright` is minor version(s) behind (1.59.0 -> 1.60.0)"}, "fullDescription": {"text": "`playwright==1.59.0` is minor version(s) behind the latest stable release on PyPI (1.60.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-117", "name": "pygments: PYSEC-2023-117", "shortDescription": {"text": "pygments: PYSEC-2023-117"}, "fullDescription": {"text": "A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g68-c3qc-8985", "name": "werkzeug: GHSA-2g68-c3qc-8985", "shortDescription": {"text": "werkzeug: GHSA-2g68-c3qc-8985"}, "fullDescription": {"text": "Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-44wm-f244-xhp3", "name": "pillow: GHSA-44wm-f244-xhp3", "shortDescription": {"text": "pillow: GHSA-44wm-f244-xhp3"}, "fullDescription": {"text": "Pillow buffer overflow vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-165", "name": "pillow: PYSEC-2026-165", "shortDescription": {"text": "pillow: PYSEC-2026-165"}, "fullDescription": {"text": "Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-227", "name": "pillow: PYSEC-2023-227", "shortDescription": {"text": "pillow: PYSEC-2023-227"}, "fullDescription": {"text": "An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-175", "name": "pillow: PYSEC-2023-175", "shortDescription": {"text": "pillow: PYSEC-2023-175"}, "fullDescription": {"text": "Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/netromdk/vermin` pinned to mutable rev `v1.7.0`", "shortDescription": {"text": "pre-commit hook `https://github.com/netromdk/vermin` pinned to mutable rev `v1.7.0`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/netromdk/vermin` at `rev: v1.7.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `python:3.12-slim-trixie` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `python:3.12-slim-trixie` not pinned by digest"}, "fullDescription": {"text": "`FROM python:3.12-slim-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "Blocking call `requests.append` inside async function `test_snapshot_returns_copies`", "shortDescription": {"text": "Blocking call `requests.append` inside async function `test_snapshot_returns_copies`"}, "fullDescription": {"text": "`requests.append` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_get_nonexistent_raises_with_available", "shortDescription": {"text": "Phantom test coverage: test_get_nonexistent_raises_with_available"}, "fullDescription": {"text": "Test function `test_get_nonexistent_raises_with_available` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self._is_text_node` used but never assigned in __init__", "shortDescription": {"text": "`self._is_text_node` used but never assigned in __init__"}, "fullDescription": {"text": "Method `next` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-3f63-hfp8-52jq", "name": "pillow: GHSA-3f63-hfp8-52jq", "shortDescription": {"text": "pillow: GHSA-3f63-hfp8-52jq"}, "fullDescription": {"text": "Arbitrary Code Execution in Pillow"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED030", "name": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.", "shortDescription": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC081", "name": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary co", "shortDescription": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "fullDescription": {"text": "Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CONTAINER_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CONTAINER_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CONTAINER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "GHA script injection via github.event.pull_request.title in run-step", "shortDescription": {"text": "GHA script injection via github.event.pull_request.title in run-step"}, "fullDescription": {"text": "`run:` step interpolates ${{ github.event.pull_request.title }} directly into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `string` used but not imported", "shortDescription": {"text": "Missing import: `string` used but not imported"}, "fullDescription": {"text": "The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/690"}, "properties": {"repository": "D4Vinci/Scrapling", "repoUrl": "https://github.com/D4Vinci/Scrapling", "branch": "main"}, "results": [{"ruleId": "GHSA-q34m-jh98-gwm2", "level": "warning", "message": {"text": "werkzeug: GHSA-q34m-jh98-gwm2"}, "properties": {"repobilityId": 54246, "scanner": "osv-scanner", "fingerprint": "553abe1566d971ca196ce9ee267cead2a9778689ee5ccb8440510fe2a1131f6e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-49767"], "package": "werkzeug", "rule_id": "GHSA-q34m-jh98-gwm2", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2024-49767|tests/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hgf8-39gv-g3f2", "level": "warning", "message": {"text": "werkzeug: GHSA-hgf8-39gv-g3f2"}, "properties": {"repobilityId": 54245, "scanner": "osv-scanner", "fingerprint": "cc033d0ec91400eaaa54512f7c7dd9456f841c8598833f8e6807847ff6ab9e3d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66221"], "package": "werkzeug", "rule_id": "GHSA-hgf8-39gv-g3f2", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2025-66221|tests/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f9vj-2wh5-fj8j", "level": "warning", "message": {"text": "werkzeug: GHSA-f9vj-2wh5-fj8j"}, "properties": {"repobilityId": 54244, "scanner": "osv-scanner", "fingerprint": "7d7e211e9c0a13e378ae90aa6d48117c0eca79dae743d5bda7f43dfdbea3a610", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-49766"], "package": "werkzeug", "rule_id": "GHSA-f9vj-2wh5-fj8j", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2024-49766|tests/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-87hc-h4r5-73f7", "level": "warning", "message": {"text": "werkzeug: GHSA-87hc-h4r5-73f7"}, "properties": {"repobilityId": 54243, "scanner": "osv-scanner", "fingerprint": "665a22bc4d7043e57e210f719678441228125450491e22c23e942eef7b2fc118", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21860"], "package": "werkzeug", "rule_id": "GHSA-87hc-h4r5-73f7", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2026-21860|tests/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-29vq-49wr-vm6x", "level": "warning", "message": {"text": "werkzeug: GHSA-29vq-49wr-vm6x"}, "properties": {"repobilityId": 54241, "scanner": "osv-scanner", "fingerprint": "27250c85bd4652c868e956104b2b1a233d1451353e33dc0239be8d2bc27d70c9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27199"], "package": "werkzeug", "rule_id": "GHSA-29vq-49wr-vm6x", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2026-27199|tests/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6w46-j5rx-g56g", "level": "warning", "message": {"text": "pytest: GHSA-6w46-j5rx-g56g"}, "properties": {"repobilityId": 54240, "scanner": "osv-scanner", "fingerprint": "1ce7f144b62eabd68240e3c51a54b0b6480c9f82a601f75ee898e09919839de1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-71176"], "package": "pytest", "rule_id": "GHSA-6w46-j5rx-g56g", "scanner": "osv-scanner", "correlation_key": "vuln|pytest|CVE-2025-71176|tests/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r73j-pqj5-w3x7", "level": "warning", "message": {"text": "pillow: GHSA-r73j-pqj5-w3x7"}, "properties": {"repobilityId": 54239, "scanner": "osv-scanner", "fingerprint": "d24573be9b28b81a7bdd13742cf2b08b9e0e7901c6e40e862cd491aae886a6f1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42310", "CVE-2026-42310"], "package": "pillow", "rule_id": "GHSA-r73j-pqj5-w3x7", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42310|docs/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 54232, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 54231, "scanner": "repobility-docker", "fingerprint": "3dea580f60dbf5a7a0b24acae55cc1c1bf45cca0e1fc56ec5a335546a41aa960", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3dea580f60dbf5a7a0b24acae55cc1c1bf45cca0e1fc56ec5a335546a41aa960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 54230, "scanner": "repobility-docker", "fingerprint": "aa4bb921b98b392bcd7550f94e5dd2d8afd7ab35f86fd9a141996b7a6e6f4f63", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aa4bb921b98b392bcd7550f94e5dd2d8afd7ab35f86fd9a141996b7a6e6f4f63", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 54225, "scanner": "repobility-threat-engine", "fingerprint": "46301152d00214f6f4199affe168c1ecd2cedad064575c0a9567a6f08d658406", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|74|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/spiders/checkpoint.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 54152, "scanner": "repobility-agent-runtime", "fingerprint": "a89dffd1c9b1ee68be579e4e43a38fa0c91f4d15bf989236e8a34865ec16939d", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a89dffd1c9b1ee68be579e4e43a38fa0c91f4d15bf989236e8a34865ec16939d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/cli.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `pytest-xdist` has no version pin"}, "properties": {"repobilityId": 54121, "scanner": "repobility-supply-chain", "fingerprint": "785693eaf0c8a2104aa72d26ed0f45ff5dc3e225637ac45c9d18af12eff0517e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|785693eaf0c8a2104aa72d26ed0f45ff5dc3e225637ac45c9d18af12eff0517e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `pytest-asyncio` has no version pin"}, "properties": {"repobilityId": 54120, "scanner": "repobility-supply-chain", "fingerprint": "90c5a74de0395839b0b295ccf03edf4bb73d98a0420d3921f165f42e4d6184a9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90c5a74de0395839b0b295ccf03edf4bb73d98a0420d3921f165f42e4d6184a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `werkzeug<3.0.0` has no version pin"}, "properties": {"repobilityId": 54119, "scanner": "repobility-supply-chain", "fingerprint": "7009cc21659c9dfe674be10c2b7f7b60fd0e882b1ecda743dc45fefc5fe1493a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7009cc21659c9dfe674be10c2b7f7b60fd0e882b1ecda743dc45fefc5fe1493a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `pytest-cov` has no version pin"}, "properties": {"repobilityId": 54118, "scanner": "repobility-supply-chain", "fingerprint": "56f4bf75b987875001ff861e58a86f9b1cd79d1cc4abff4cc2eeaad5a350d68a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56f4bf75b987875001ff861e58a86f9b1cd79d1cc4abff4cc2eeaad5a350d68a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `pngquant` has no version pin"}, "properties": {"repobilityId": 54117, "scanner": "repobility-supply-chain", "fingerprint": "d10072bd58df1e39d30d2fc528bcd4c638fd0d9db155741f8b6ffd32a96f6a56", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d10072bd58df1e39d30d2fc528bcd4c638fd0d9db155741f8b6ffd32a96f6a56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 54112, "scanner": "repobility-ast-engine", "fingerprint": "fdac68f252c64da76224fffcefc77bf98f4279ab304506c022ee464735fdea43", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fdac68f252c64da76224fffcefc77bf98f4279ab304506c022ee464735fdea43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/spiders/engine.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 54111, "scanner": "repobility-ast-engine", "fingerprint": "e6a305f7a3500ccbf8da530b52ead75b492bcc75e430b9e1e58b6d23444f4bc3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e6a305f7a3500ccbf8da530b52ead75b492bcc75e430b9e1e58b6d23444f4bc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/core/ai.py"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 54110, "scanner": "repobility-ast-engine", "fingerprint": "998a02634e45364504064bac22cc366a08bfc53090a65d73bd835fe611f4e9c5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|998a02634e45364504064bac22cc366a08bfc53090a65d73bd835fe611f4e9c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/core/shell.py"}, "region": {"startLine": 363}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 54100, "scanner": "repobility-ast-engine", "fingerprint": "17299114daf69b022559e8c320439c1a0eaedbb52ed71684f85641c226ab50c1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17299114daf69b022559e8c320439c1a0eaedbb52ed71684f85641c226ab50c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/test_storage_core.py"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 54067, "scanner": "repobility-ast-engine", "fingerprint": "2ae8c69ee1b163a4312172413a22370376e3f49cf52223a6c98c472cc610a2d1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ae8c69ee1b163a4312172413a22370376e3f49cf52223a6c98c472cc610a2d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cleanup.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 54066, "scanner": "repobility-ast-engine", "fingerprint": "e44b5d6425bd23699bf27e82c6c11e5f55568d3c99cc4b79be9f8ed5f2ba8fd3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e44b5d6425bd23699bf27e82c6c11e5f55568d3c99cc4b79be9f8ed5f2ba8fd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cleanup.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "GHSA-5239-wwwm-4pmq", "level": "note", "message": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "properties": {"repobilityId": 54249, "scanner": "osv-scanner", "fingerprint": "55bfbdde2126f420b6011a3c04eec5bb639bfa9ef30a7697fdbf2ea9ad69b185", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4539"], "package": "pygments", "rule_id": "GHSA-5239-wwwm-4pmq", "scanner": "osv-scanner", "correlation_key": "vuln|pygments|CVE-2026-4539|tests/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-68rp-wp8r-4726", "level": "note", "message": {"text": "flask: GHSA-68rp-wp8r-4726"}, "properties": {"repobilityId": 54247, "scanner": "osv-scanner", "fingerprint": "80619d3b098e9d1a6406dae6befb50826089c98bbe7e3d6d9cb7340c6d12a8fe", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27205"], "package": "flask", "rule_id": "GHSA-68rp-wp8r-4726", "scanner": "osv-scanner", "correlation_key": "vuln|flask|CVE-2026-27205|tests/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 54233, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `__str__` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=1, if=4, nested_bonus=3, recursion=1."}, "properties": {"repobilityId": 54162, "scanner": "repobility-threat-engine", "fingerprint": "0e401b63007a82091c6f19ff70954df20bfd242d277c7a0601151c365230bdce", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "__str__", "breakdown": {"if": 4, "elif": 1, "else": 1, "recursion": 1, "nested_bonus": 3}, "complexity": 10, "correlation_key": "fp|0e401b63007a82091c6f19ff70954df20bfd242d277c7a0601151c365230bdce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/core/translator.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `clean` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=2, for=3, if=1, nested_bonus=6."}, "properties": {"repobilityId": 54158, "scanner": "repobility-threat-engine", "fingerprint": "4f1b54593d73b41bc7f39bd82c9d704cd21180e1f301eb83ea5b80f6b5ea0160", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "clean", "breakdown": {"if": 1, "for": 3, "else": 1, "except": 2, "nested_bonus": 6}, "complexity": 13, "correlation_key": "fp|4f1b54593d73b41bc7f39bd82c9d704cd21180e1f301eb83ea5b80f6b5ea0160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cleanup.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `playwright` is minor version(s) behind (1.59.0 -> 1.60.0)"}, "properties": {"repobilityId": 54150, "scanner": "repobility-dependency-currency", "fingerprint": "2328bf6856e3a4bef0f2a3e447c3ea36a8859f14a9997c404b298f931cbfb1cb", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "playwright", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.60.0", "correlation_key": "fp|2328bf6856e3a4bef0f2a3e447c3ea36a8859f14a9997c404b298f931cbfb1cb", "current_version": "1.59.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54055, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e8cccd93a1a5fe25425a33cad579a17779414a16fedd5ae0b9f7ab9e9a15c73", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scrapling/engines/_browsers/_stealth.py", "duplicate_line": 39, "correlation_key": "fp|9e8cccd93a1a5fe25425a33cad579a17779414a16fedd5ae0b9f7ab9e9a15c73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/fetchers/stealth_chrome.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54054, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8118fc86cd04f7ecb4bafa6b8c82af907255ed5b3db92febc159574dcdfab325", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scrapling/engines/_browsers/_controllers.py", "duplicate_line": 38, "correlation_key": "fp|8118fc86cd04f7ecb4bafa6b8c82af907255ed5b3db92febc159574dcdfab325"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/fetchers/stealth_chrome.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 54053, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff1316f6dd4743eb5d4cbdb0468e4f1ebb5fb6df715441dadb1dbe6e52e5323b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scrapling/engines/_browsers/_controllers.py", "duplicate_line": 20, "correlation_key": "fp|ff1316f6dd4743eb5d4cbdb0468e4f1ebb5fb6df715441dadb1dbe6e52e5323b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/engines/_browsers/_stealth.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 54224, "scanner": "repobility-threat-engine", "fingerprint": "972619f324a9478449fca818ac4f6d9def746fdbae950dd6f4ec1f97164738c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|972619f324a9478449fca818ac4f6d9def746fdbae950dd6f4ec1f97164738c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/engines/toolbelt/proxy_rotation.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 54184, "scanner": "repobility-threat-engine", "fingerprint": "bb073d169e432edd80ad520c2365fa126e348646d562af5169f91fd938623995", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bb073d169e432edd80ad520c2365fa126e348646d562af5169f91fd938623995", "aggregated_count": 3}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 54183, "scanner": "repobility-threat-engine", "fingerprint": "de1f8f6c9892d98b9b6511f00db90bac7a2229b1b2732bf7139c70e4da1a0992", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de1f8f6c9892d98b9b6511f00db90bac7a2229b1b2732bf7139c70e4da1a0992"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/spiders/checkpoint.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 54182, "scanner": "repobility-threat-engine", "fingerprint": "f955c3fa89b4170f83dc6d603787bbc6ab8eaae142c797153e07a1e9488167d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f955c3fa89b4170f83dc6d603787bbc6ab8eaae142c797153e07a1e9488167d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/engines/_browsers/_validators.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 54181, "scanner": "repobility-threat-engine", "fingerprint": "3f087c73ba966674c9e3845c6c519efa1610de5b7e48770316047518493d824d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f087c73ba966674c9e3845c6c519efa1610de5b7e48770316047518493d824d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/engines/_browsers/_page.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 54180, "scanner": "repobility-threat-engine", "fingerprint": "8fb62b50ec4229d89bc05aec181b7f33e9c56e0be5571726e63f52f5bf3e69f4", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.reset(token)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|5|logger.reset token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/core/utils/_utils.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 54178, "scanner": "repobility-threat-engine", "fingerprint": "86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 54176, "scanner": "repobility-threat-engine", "fingerprint": "84a951ead6bf40017fd6ff1113a9553e0d89ca55aaeda08d81339e7b5088bdd3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|84a951ead6bf40017fd6ff1113a9553e0d89ca55aaeda08d81339e7b5088bdd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/engines/toolbelt/custom.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 54174, "scanner": "repobility-threat-engine", "fingerprint": "68b0811ffdc4bab7a97ce0e33239d08fce712675db0ed75d306e6c772a841c19", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68b0811ffdc4bab7a97ce0e33239d08fce712675db0ed75d306e6c772a841c19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/core/translator.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 54172, "scanner": "repobility-threat-engine", "fingerprint": "eaaf50a033f7eb2b6a6c9921b2d7604ff09c13a12fde3ac10a3ff8f1bf5bf837", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eaaf50a033f7eb2b6a6c9921b2d7604ff09c13a12fde3ac10a3ff8f1bf5bf837"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/core/storage.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 54170, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 54164, "scanner": "repobility-threat-engine", "fingerprint": "49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "clean", "breakdown": {"if": 1, "for": 3, "else": 1, "except": 2, "nested_bonus": 6}, "aggregated": true, "complexity": 13, "correlation_key": "fp|49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "aggregated_count": 15}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 54156, "scanner": "repobility-threat-engine", "fingerprint": "39f1b111f384206930f883ac1345067c843d7ad0c923abae11bc7931e61fd730", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39f1b111f384206930f883ac1345067c843d7ad0c923abae11bc7931e61fd730"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "PYSEC-2023-117", "level": "error", "message": {"text": "pygments: PYSEC-2023-117"}, "properties": {"repobilityId": 54248, "scanner": "osv-scanner", "fingerprint": "fb4bcee4e36bae9726ca8b3d180162a059289767a5625ff9c4703a51d9d4aa54", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2022-40896", "GHSA-mrwq-x4v8-fh7p"], "package": "pygments", "rule_id": "PYSEC-2023-117", "scanner": "osv-scanner", "correlation_key": "vuln|pygments|CVE-2022-40896|tests/requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mrwq-x4v8-fh7p", "PYSEC-2023-117"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["86c57ced6b949373986532a30b06f5343367faa9e511836c921c81c4249004eb", "fb4bcee4e36bae9726ca8b3d180162a059289767a5625ff9c4703a51d9d4aa54"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g68-c3qc-8985", "level": "error", "message": {"text": "werkzeug: GHSA-2g68-c3qc-8985"}, "properties": {"repobilityId": 54242, "scanner": "osv-scanner", "fingerprint": "bb0721b277a9f1bbcdf87b8722e7d9ed536e64d77fc4c5429203d1fa85645e9d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-34069"], "package": "werkzeug", "rule_id": "GHSA-2g68-c3qc-8985", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2024-34069|tests/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-44wm-f244-xhp3", "level": "error", "message": {"text": "pillow: GHSA-44wm-f244-xhp3"}, "properties": {"repobilityId": 54238, "scanner": "osv-scanner", "fingerprint": "8acd8ab563ee965fd69d70931efc7305ead2023603caea740b73fb7d753a1b59", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2024-28219", "CVE-2024-28219"], "package": "pillow", "rule_id": "GHSA-44wm-f244-xhp3", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2024-28219|docs/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-165", "level": "error", "message": {"text": "pillow: PYSEC-2026-165"}, "properties": {"repobilityId": 54236, "scanner": "osv-scanner", "fingerprint": "06cb81003a683ed8c8832eb665d68e9ccebe9dc080faec9de074f2741b1b2a36", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42308", "CVE-2026-42308", "GHSA-wjx4-4jcj-g98j"], "package": "pillow", "rule_id": "PYSEC-2026-165", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42308|docs/requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-wjx4-4jcj-g98j", "PYSEC-2026-165"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["06cb81003a683ed8c8832eb665d68e9ccebe9dc080faec9de074f2741b1b2a36", "6d035cc233273babae06c930c9d99e18e753c9c4f9d92c298c887485a5130c0e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-227", "level": "error", "message": {"text": "pillow: PYSEC-2023-227"}, "properties": {"repobilityId": 54235, "scanner": "osv-scanner", "fingerprint": "49eae3b78f4794c8066dfa74709d4725df1ae8cedc5e4d9fd7f5b48b7f4f55bf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pillow-2023-44271", "CVE-2023-44271", "GHSA-8ghj-p4vj-mr35"], "package": "pillow", "rule_id": "PYSEC-2023-227", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2023-44271|docs/requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-8ghj-p4vj-mr35", "PYSEC-2023-227"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["49eae3b78f4794c8066dfa74709d4725df1ae8cedc5e4d9fd7f5b48b7f4f55bf", "6e085279daf94989d2abe25f0320ef723d4f294157ba5060c1d8c52f8d9889b9"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-175", "level": "error", "message": {"text": "pillow: PYSEC-2023-175"}, "properties": {"repobilityId": 54234, "scanner": "osv-scanner", "fingerprint": "9d3bdae3cadafeac2793d08a5b0e1d68b2170158e7ce1c824c0604a3d182ea89", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "pillow", "rule_id": "PYSEC-2023-175", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2023-4863|docs/requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-j7hp-h8jx-5ppr", "PYSEC-2023-175"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["452eeac89040b35d6931c2ecc135ef19a6a991cca1b4fc43ef71b7f342d6f298", "9d3bdae3cadafeac2793d08a5b0e1d68b2170158e7ce1c824c0604a3d182ea89"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 54229, "scanner": "repobility-threat-engine", "fingerprint": "efc624861bf9da159326d961bc6726663c6c18b7c315412f826b13569a56808e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|efc624861bf9da159326d961bc6726663c6c18b7c315412f826b13569a56808e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/spiders/request.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 54222, "scanner": "repobility-threat-engine", "fingerprint": "44ae21fe007ced2bcdb079d25c6c93414538ea222677d6cefb9d360c28f56242", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.__dict__.update(state)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|44ae21fe007ced2bcdb079d25c6c93414538ea222677d6cefb9d360c28f56242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/spiders/request.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 54185, "scanner": "repobility-threat-engine", "fingerprint": "bf5ee5fdc870d5bede5e8d26a8f25f5b2c5e420e290a39dedd8407eaabda998f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "result.update(validated_dict)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf5ee5fdc870d5bede5e8d26a8f25f5b2c5e420e290a39dedd8407eaabda998f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/engines/_browsers/_validators.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 54169, "scanner": "repobility-threat-engine", "fingerprint": "64d82fedb3b46c3a1315616eddf8e010b51a0e922d324340da8f15b79ff51382", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|64d82fedb3b46c3a1315616eddf8e010b51a0e922d324340da8f15b79ff51382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/spiders/links.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 54167, "scanner": "repobility-threat-engine", "fingerprint": "627c7b2cd6aa965afb72b7c5abf0d87926f09fe3d3c562bc65426cff16a32e75", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|627c7b2cd6aa965afb72b7c5abf0d87926f09fe3d3c562bc65426cff16a32e75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/engines/_browsers/_validators.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 54165, "scanner": "repobility-threat-engine", "fingerprint": "b50e3e88acea2198572d738af3f39c0ddee342d828ad1802723818bb8422ef65", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b50e3e88acea2198572d738af3f39c0ddee342d828ad1802723818bb8422ef65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/core/storage.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `_general_selection` has cognitive complexity 55 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, elif=1, else=3, for=1, if=8, nested_bonus=35, ternary=4, while=1."}, "properties": {"repobilityId": 54160, "scanner": "repobility-threat-engine", "fingerprint": "aaff99c6e9efea076b946d3895791e94a8623d44888bbaa48fb1d2b00bbd1b65", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 55 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_general_selection", "breakdown": {"if": 8, "for": 1, "elif": 1, "else": 3, "break": 2, "while": 1, "ternary": 4, "nested_bonus": 35}, "complexity": 55, "correlation_key": "fp|aaff99c6e9efea076b946d3895791e94a8623d44888bbaa48fb1d2b00bbd1b65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/core/mixins.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 54154, "scanner": "repobility-threat-engine", "fingerprint": "ccd7ea71d6732a12aebf8f227b0c37aa37529e0dba2c19885dd7daef67b63c99", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ccd7ea71d6732a12aebf8f227b0c37aa37529e0dba2c19885dd7daef67b63c99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 54141, "scanner": "repobility-supply-chain", "fingerprint": "a4ac84d2f11e3382ec56f13acb6b41f45cf51c9edb0f016f9a35dab62260c4b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4ac84d2f11e3382ec56f13acb6b41f45cf51c9edb0f016f9a35dab62260c4b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 54134, "scanner": "repobility-supply-chain", "fingerprint": "9b2e696c91fc6fe1cb49629d3bbe51e0a5bd1c0dab98b5d7d9d1a17f9d4c0677", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b2e696c91fc6fe1cb49629d3bbe51e0a5bd1c0dab98b5d7d9d1a17f9d4c0677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yml"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 54133, "scanner": "repobility-supply-chain", "fingerprint": "f84e273cfc58e881c53cfe2262e67f6b15939171e8992a16ab8bb4f03b4b2982", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f84e273cfc58e881c53cfe2262e67f6b15939171e8992a16ab8bb4f03b4b2982"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 54132, "scanner": "repobility-supply-chain", "fingerprint": "e3c123355b1bda6678bae0bdd76ad6a365723bc3a8471fcdfcb0c31959e8a7c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3c123355b1bda6678bae0bdd76ad6a365723bc3a8471fcdfcb0c31959e8a7c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 54131, "scanner": "repobility-supply-chain", "fingerprint": "9ac5e232250c05cbf319a1943c0f7fe5db5a308811ebed0e40aae61052b7e6df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ac5e232250c05cbf319a1943c0f7fe5db5a308811ebed0e40aae61052b7e6df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 54130, "scanner": "repobility-supply-chain", "fingerprint": "c402ed3f05599b16daa6664d5598b203d8eb3f3f686623c339083e2eea90884b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c402ed3f05599b16daa6664d5598b203d8eb3f3f686623c339083e2eea90884b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 54129, "scanner": "repobility-supply-chain", "fingerprint": "7c9a5bb61d22404ba7f26b976ee0ee1b81899be27ec8663ce5bdf41eb8b0b801", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c9a5bb61d22404ba7f26b976ee0ee1b81899be27ec8663ce5bdf41eb8b0b801"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 54128, "scanner": "repobility-supply-chain", "fingerprint": "409bb004d5f0ee3f9c3f801ab13ff0f20dd720dc4d571aeb03b0296a91bc0e0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|409bb004d5f0ee3f9c3f801ab13ff0f20dd720dc4d571aeb03b0296a91bc0e0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`"}, "properties": {"repobilityId": 54126, "scanner": "repobility-supply-chain", "fingerprint": "44305f37155a1b8ca6a0b31275266609da2c74724775c211b128359752b764ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44305f37155a1b8ca6a0b31275266609da2c74724775c211b128359752b764ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-and-publish.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 54125, "scanner": "repobility-supply-chain", "fingerprint": "92086501044f5eaa8168f6c0aa9bd8689b62f07262c554ff75ca37b7f06dfa1a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92086501044f5eaa8168f6c0aa9bd8689b62f07262c554ff75ca37b7f06dfa1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-and-publish.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 54124, "scanner": "repobility-supply-chain", "fingerprint": "bd8de6a518e847752e589ad239abcea503769e2fa42ec5d2bbcb7aa7e24be262", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd8de6a518e847752e589ad239abcea503769e2fa42ec5d2bbcb7aa7e24be262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-and-publish.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 54123, "scanner": "repobility-supply-chain", "fingerprint": "a4af9c590a9c8d540d8772c43ffeb1ad9a58bfafd2ee25882be2c6710479c0d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4af9c590a9c8d540d8772c43ffeb1ad9a58bfafd2ee25882be2c6710479c0d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-and-publish.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 54122, "scanner": "repobility-supply-chain", "fingerprint": "0c76f89689e837613c2f8618bf0fabe3e296d957469dd5a72dd9b97dd376cfaa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c76f89689e837613c2f8618bf0fabe3e296d957469dd5a72dd9b97dd376cfaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-and-publish.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/netromdk/vermin` pinned to mutable rev `v1.7.0`"}, "properties": {"repobilityId": 54116, "scanner": "repobility-supply-chain", "fingerprint": "412ab0b384eac38cc70d94b14f07490c35b2322114cb22f5d977b7e201081f06", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|412ab0b384eac38cc70d94b14f07490c35b2322114cb22f5d977b7e201081f06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/PyCQA/bandit` pinned to mutable rev `1.9.0`"}, "properties": {"repobilityId": 54115, "scanner": "repobility-supply-chain", "fingerprint": "49de9bf3829e5f15426b4b156cf50c5a7200719fb6990183e78bd43648eb5d09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49de9bf3829e5f15426b4b156cf50c5a7200719fb6990183e78bd43648eb5d09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim-trixie` not pinned by digest"}, "properties": {"repobilityId": 54114, "scanner": "repobility-supply-chain", "fingerprint": "8f09e48099b11f7f93e3a242a0a5334b293c30cb0509cdd2a2ea5e671d457702", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f09e48099b11f7f93e3a242a0a5334b293c30cb0509cdd2a2ea5e671d457702"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.append` inside async function `test_snapshot_returns_copies`"}, "properties": {"repobilityId": 54109, "scanner": "repobility-ast-engine", "fingerprint": "c9c6f278c0ad8e6702578528020cf5b6493f62b3498dcdb58831fbc5b2bce0ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9c6f278c0ad8e6702578528020cf5b6493f62b3498dcdb58831fbc5b2bce0ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/spiders/test_scheduler.py"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_get_nonexistent_raises_with_available"}, "properties": {"repobilityId": 54108, "scanner": "repobility-ast-engine", "fingerprint": "5abfddf8ea642d78d5652c0814f8a8006f113317ac9ac2c8537ebb62021fba85", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5abfddf8ea642d78d5652c0814f8a8006f113317ac9ac2c8537ebb62021fba85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/spiders/test_session.py"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_remove_nonexistent_raises"}, "properties": {"repobilityId": 54107, "scanner": "repobility-ast-engine", "fingerprint": "71f51203f4da4e7b529364e59f8881565555560c14e20fd3b4c02fe8c4b9b010", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|71f51203f4da4e7b529364e59f8881565555560c14e20fd3b4c02fe8c4b9b010"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/spiders/test_session.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_add_duplicate_id_raises"}, "properties": {"repobilityId": 54106, "scanner": "repobility-ast-engine", "fingerprint": "8e55cca8d4f12411e26513f49917514735eab07ec1d00c8d1cf67f09b54e05ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e55cca8d4f12411e26513f49917514735eab07ec1d00c8d1cf67f09b54e05ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/spiders/test_session.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_manager_no_default_session_when_empty"}, "properties": {"repobilityId": 54105, "scanner": "repobility-ast-engine", "fingerprint": "08493dd6dd689730e4aea59ca4cd3e79155f901ff05fec046f57a308a3df12fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08493dd6dd689730e4aea59ca4cd3e79155f901ff05fec046f57a308a3df12fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/spiders/test_session.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_cleanup_no_error_when_no_file"}, "properties": {"repobilityId": 54104, "scanner": "repobility-ast-engine", "fingerprint": "cd6b6db2b5e6acda6c4156f554f91fcf33007c1ac40486d6ff2caf3354caba60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd6b6db2b5e6acda6c4156f554f91fcf33007c1ac40486d6ff2caf3354caba60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/spiders/test_checkpoint.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_init_with_invalid_interval_type_raises"}, "properties": {"repobilityId": 54103, "scanner": "repobility-ast-engine", "fingerprint": "041bd327ff0d2b00e57c137b49540d29e76cdcfa9e44feb94f489246e65203ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|041bd327ff0d2b00e57c137b49540d29e76cdcfa9e44feb94f489246e65203ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/spiders/test_checkpoint.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_init_with_negative_interval_raises"}, "properties": {"repobilityId": 54102, "scanner": "repobility-ast-engine", "fingerprint": "7b1113c7c51dbcf63d8bc66e8fa9023e984f78c944a73d7ff45bbcf88e9a825c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b1113c7c51dbcf63d8bc66e8fa9023e984f78c944a73d7ff45bbcf88e9a825c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/spiders/test_checkpoint.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_start_requests_raises_when_nothing_configured"}, "properties": {"repobilityId": 54101, "scanner": "repobility-ast-engine", "fingerprint": "e2dcd4da6ebf87d56dc0dde330c53903874db1d848e103ebbcd212d88158c23a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2dcd4da6ebf87d56dc0dde330c53903874db1d848e103ebbcd212d88158c23a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/spiders/test_sitemap.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_invalid_header_format"}, "properties": {"repobilityId": 54099, "scanner": "repobility-ast-engine", "fingerprint": "87230ca1e958c6aeb2e1ad9beb1a09aec1386f0f3ae431db0b88f39a9b8656ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|87230ca1e958c6aeb2e1ad9beb1a09aec1386f0f3ae431db0b88f39a9b8656ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/test_shell_core.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_json_error_handling"}, "properties": {"repobilityId": 54098, "scanner": "repobility-ast-engine", "fingerprint": "cfd6a848fd144c08b0490a017bd52028d53e6b81b6e6930c198589ddea9bd7b7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cfd6a848fd144c08b0490a017bd52028d53e6b81b6e6930c198589ddea9bd7b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/parser/test_attributes_handler.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_text_handler_json_invalid"}, "properties": {"repobilityId": 54097, "scanner": "repobility-ast-engine", "fingerprint": "ee437fc885a972e9f33502900e07cc9bc458b1eb8b083d8c854b09d532b9d20d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee437fc885a972e9f33502900e07cc9bc458b1eb8b083d8c854b09d532b9d20d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/parser/test_parser_advanced.py"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_unpickleable_objects"}, "properties": {"repobilityId": 54096, "scanner": "repobility-ast-engine", "fingerprint": "be8f2ab9d41a4e5a4e27278ffdaa12d91d55e505794319e93c2c8ffa97e5927c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|be8f2ab9d41a4e5a4e27278ffdaa12d91d55e505794319e93c2c8ffa97e5927c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/parser/test_general.py"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_bad_selectors"}, "properties": {"repobilityId": 54095, "scanner": "repobility-ast-engine", "fingerprint": "d4eeec424b0751435f6023bf4b77097e8b4478e53fd57019dda235ad1f778318", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4eeec424b0751435f6023bf4b77097e8b4478e53fd57019dda235ad1f778318"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/parser/test_general.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_invalid_storage"}, "properties": {"repobilityId": 54094, "scanner": "repobility-ast-engine", "fingerprint": "33d6cac1cc8db1333e73b74688c5ec151e9c239035a7b1637edf44f64bab6b8f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|33d6cac1cc8db1333e73b74688c5ec151e9c239035a7b1637edf44f64bab6b8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/parser/test_general.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_invalid_selector_initialization"}, "properties": {"repobilityId": 54093, "scanner": "repobility-ast-engine", "fingerprint": "cf2f093cf374c48162b1c0572433d5814491e291b6563bb8ca996f79aafac77a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf2f093cf374c48162b1c0572433d5814491e291b6563bb8ca996f79aafac77a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/parser/test_general.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54092, "scanner": "repobility-ast-engine", "fingerprint": "8a7c2153495bd563a828b8b48b94e896349389f853fbf3a97652038c98e5ee95", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a7c2153495bd563a828b8b48b94e896349389f853fbf3a97652038c98e5ee95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 443}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.iterancestors` used but never assigned in __init__"}, "properties": {"repobilityId": 54091, "scanner": "repobility-ast-engine", "fingerprint": "15815af706101b63334f5699f13ba47d034a9f5d81468d97581cc5527e2a5914", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|15815af706101b63334f5699f13ba47d034a9f5d81468d97581cc5527e2a5914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 437}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.iterancestors` used but never assigned in __init__"}, "properties": {"repobilityId": 54090, "scanner": "repobility-ast-engine", "fingerprint": "9706e25850c75b356a6933da19fd63a13daa69d0f9dd7a0f1700777783a823a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9706e25850c75b356a6933da19fd63a13daa69d0f9dd7a0f1700777783a823a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 429}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.__element_convertor` used but never assigned in __init__"}, "properties": {"repobilityId": 54089, "scanner": "repobility-ast-engine", "fingerprint": "0f782126846f6074abb30505f0bb0364abb9294a1a36e6931314890d3d0c3108", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0f782126846f6074abb30505f0bb0364abb9294a1a36e6931314890d3d0c3108"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 422}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54088, "scanner": "repobility-ast-engine", "fingerprint": "aefc43e64ae456a7d48333f187f8d86f644b3f29cd82435133e7cbdff888d66b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aefc43e64ae456a7d48333f187f8d86f644b3f29cd82435133e7cbdff888d66b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 419}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.parent` used but never assigned in __init__"}, "properties": {"repobilityId": 54087, "scanner": "repobility-ast-engine", "fingerprint": "b447370313cc9dbe3c4cda046c9370be9bbec145e90792cdd550ee8528f6d013", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b447370313cc9dbe3c4cda046c9370be9bbec145e90792cdd550ee8528f6d013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.parent` used but never assigned in __init__"}, "properties": {"repobilityId": 54086, "scanner": "repobility-ast-engine", "fingerprint": "82930220d1043ff7db69de9b1b5144b6a284d7906cbb488bac4bd02b27733244", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|82930220d1043ff7db69de9b1b5144b6a284d7906cbb488bac4bd02b27733244"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 413}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.__element_convertor` used but never assigned in __init__"}, "properties": {"repobilityId": 54085, "scanner": "repobility-ast-engine", "fingerprint": "e6e4023b757389e634607590c965d792f4e520a9a300752fb7b76272f2c72daa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e6e4023b757389e634607590c965d792f4e520a9a300752fb7b76272f2c72daa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 405}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54084, "scanner": "repobility-ast-engine", "fingerprint": "e4a1da57f71b6616eb9e0b4d4fc2eedb883bc55b2dcc1ff080ddf5955f856a46", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e4a1da57f71b6616eb9e0b4d4fc2eedb883bc55b2dcc1ff080ddf5955f856a46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 402}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.__elements_convertor` used but never assigned in __init__"}, "properties": {"repobilityId": 54083, "scanner": "repobility-ast-engine", "fingerprint": "9a45c1f18a9ad43ccbb7445a1a83e3709ccb3d29e861271969aa5e5d4d7f43e7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a45c1f18a9ad43ccbb7445a1a83e3709ccb3d29e861271969aa5e5d4d7f43e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 397}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54082, "scanner": "repobility-ast-engine", "fingerprint": "93494a77bd1c362191daa406d4ac13cfd0438a413df1c108c752571cf1854680", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|93494a77bd1c362191daa406d4ac13cfd0438a413df1c108c752571cf1854680"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 394}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.__element_convertor` used but never assigned in __init__"}, "properties": {"repobilityId": 54081, "scanner": "repobility-ast-engine", "fingerprint": "77b3298f09d512dbe0946ea83875a1162ffc44460181eb9b20156ff0115d7dcc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|77b3298f09d512dbe0946ea83875a1162ffc44460181eb9b20156ff0115d7dcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 389}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54080, "scanner": "repobility-ast-engine", "fingerprint": "293e9ecee13a9292211cac52bf69cd0b2dcc9e805ec63561ddee9140e75c8183", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|293e9ecee13a9292211cac52bf69cd0b2dcc9e805ec63561ddee9140e75c8183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 381}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54079, "scanner": "repobility-ast-engine", "fingerprint": "568167e1fa9743a2397ea34a72d841d5cedb71add210d121d0e1b9976f47ad9f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|568167e1fa9743a2397ea34a72d841d5cedb71add210d121d0e1b9976f47ad9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 363}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54078, "scanner": "repobility-ast-engine", "fingerprint": "368c738cce64b0c27e705c7f995597f17c65ebd23648afe5dd412309541c34fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|368c738cce64b0c27e705c7f995597f17c65ebd23648afe5dd412309541c34fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 357}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54077, "scanner": "repobility-ast-engine", "fingerprint": "0de1f33485e4e2e70687c7d5e8d15cde71550cd2f0e639a853f67ba49ab9e8a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0de1f33485e4e2e70687c7d5e8d15cde71550cd2f0e639a853f67ba49ab9e8a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54076, "scanner": "repobility-ast-engine", "fingerprint": "542302fd7a1dbc3deb236cae57bde2b5d50c88afc664644e9b1f4b18acb773ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|542302fd7a1dbc3deb236cae57bde2b5d50c88afc664644e9b1f4b18acb773ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 338}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54075, "scanner": "repobility-ast-engine", "fingerprint": "6f7b2aa3fe59c0bc8faf8b188e373868f415c10d5e7eebf8f5a4af4c0f8243fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f7b2aa3fe59c0bc8faf8b188e373868f415c10d5e7eebf8f5a4af4c0f8243fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 298}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54074, "scanner": "repobility-ast-engine", "fingerprint": "ce52cebecb4ff0cae70bcd01e6d3a1e6c3017b0b8f20e2f6463ecb67896421b7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce52cebecb4ff0cae70bcd01e6d3a1e6c3017b0b8f20e2f6463ecb67896421b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54073, "scanner": "repobility-ast-engine", "fingerprint": "b2f55b88635c6a95cbb1f11d562fac1ead4b97ff80e88717cac8b19415e1eb93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2f55b88635c6a95cbb1f11d562fac1ead4b97ff80e88717cac8b19415e1eb93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 262}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.__elements_convertor` used but never assigned in __init__"}, "properties": {"repobilityId": 54072, "scanner": "repobility-ast-engine", "fingerprint": "ff6a0686ad57bc4b2af01def61338f085c3be919daea9daf076490fdf4967e68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ff6a0686ad57bc4b2af01def61338f085c3be919daea9daf076490fdf4967e68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.attrib` used but never assigned in __init__"}, "properties": {"repobilityId": 54071, "scanner": "repobility-ast-engine", "fingerprint": "86f545be6e2fa85f656c1083352c5212fdeb431ecea7fabc45e463d25b2088f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86f545be6e2fa85f656c1083352c5212fdeb431ecea7fabc45e463d25b2088f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54070, "scanner": "repobility-ast-engine", "fingerprint": "08264bba9df824f75522a5b609b6fe1de120b3cb2c9c115a54be70e19a239abc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08264bba9df824f75522a5b609b6fe1de120b3cb2c9c115a54be70e19a239abc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.attrib` used but never assigned in __init__"}, "properties": {"repobilityId": 54069, "scanner": "repobility-ast-engine", "fingerprint": "d4a238a6751a0a6938607d324d78a70e39442303b2bed1feeaa071b0c0f003e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4a238a6751a0a6938607d324d78a70e39442303b2bed1feeaa071b0c0f003e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_text_node` used but never assigned in __init__"}, "properties": {"repobilityId": 54068, "scanner": "repobility-ast-engine", "fingerprint": "558491a880f61ad1a02fce3566fbabfffb00bd463e5d0e3cd18286bd3a94e8f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|558491a880f61ad1a02fce3566fbabfffb00bd463e5d0e3cd18286bd3a94e8f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/parser.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_autoscraper"}, "properties": {"repobilityId": 54065, "scanner": "repobility-ast-engine", "fingerprint": "eb3527c51c0b9462cb7a81576f961d1a8252ce2464ea9dd96f49020e5c6f628b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb3527c51c0b9462cb7a81576f961d1a8252ce2464ea9dd96f49020e5c6f628b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_scrapling_text"}, "properties": {"repobilityId": 54064, "scanner": "repobility-ast-engine", "fingerprint": "ef754e150bbb8724a32ff8842ea32a297bac774dd4caf36e0bbecb7a9aee0c47", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef754e150bbb8724a32ff8842ea32a297bac774dd4caf36e0bbecb7a9aee0c47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_selectolax"}, "properties": {"repobilityId": 54063, "scanner": "repobility-ast-engine", "fingerprint": "4caf5ab1fd862c6c16ba9dc531a22f7cf1c39338e378d012abeabc12f298e384", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4caf5ab1fd862c6c16ba9dc531a22f7cf1c39338e378d012abeabc12f298e384"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_mechanicalsoup"}, "properties": {"repobilityId": 54062, "scanner": "repobility-ast-engine", "fingerprint": "16ba4557bd56480658a78be7144cc86fac02ab2f0340bb218872813c102a141c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16ba4557bd56480658a78be7144cc86fac02ab2f0340bb218872813c102a141c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_parsel"}, "properties": {"repobilityId": 54061, "scanner": "repobility-ast-engine", "fingerprint": "f56bc07e232c383b978d142168a08a7f23796d364e076014c1ba99eb947ccdf0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f56bc07e232c383b978d142168a08a7f23796d364e076014c1ba99eb947ccdf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_scrapling"}, "properties": {"repobilityId": 54060, "scanner": "repobility-ast-engine", "fingerprint": "1d25881febdc559f0d51cfa65afefa2b961b54a0ccefd579fe9d2bc44983868b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d25881febdc559f0d51cfa65afefa2b961b54a0ccefd579fe9d2bc44983868b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_pyquery"}, "properties": {"repobilityId": 54059, "scanner": "repobility-ast-engine", "fingerprint": "d406ce9adbb68df83cd8792faee0fa9ac4fe0745ea07516326c82a22d6e30121", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d406ce9adbb68df83cd8792faee0fa9ac4fe0745ea07516326c82a22d6e30121"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_bs4_html5lib"}, "properties": {"repobilityId": 54058, "scanner": "repobility-ast-engine", "fingerprint": "bc35d443bc94ec1c1c1bda9547db7187e2fa9a235276abea1e3efc9d9dfb75fa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc35d443bc94ec1c1c1bda9547db7187e2fa9a235276abea1e3efc9d9dfb75fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_bs4_lxml"}, "properties": {"repobilityId": 54057, "scanner": "repobility-ast-engine", "fingerprint": "5a74b76449e5d3dce24ac714e9dd018f36e390e3629945006e3f532a4e0bc0e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a74b76449e5d3dce24ac714e9dd018f36e390e3629945006e3f532a4e0bc0e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_lxml"}, "properties": {"repobilityId": 54056, "scanner": "repobility-ast-engine", "fingerprint": "14b9af544a5a653c5db4e251c276e73b652cfe864f7cc0fa96535b52d96e27c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|14b9af544a5a653c5db4e251c276e73b652cfe864f7cc0fa96535b52d96e27c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "GHSA-3f63-hfp8-52jq", "level": "error", "message": {"text": "pillow: GHSA-3f63-hfp8-52jq"}, "properties": {"repobilityId": 54237, "scanner": "osv-scanner", "fingerprint": "aa9e47ea90cd6296ddcbedfe5450ac0641980b42aae6517a767eef85c4946503", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2023-50447", "CVE-2023-50447"], "package": "pillow", "rule_id": "GHSA-3f63-hfp8-52jq", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2023-50447|docs/requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 54228, "scanner": "repobility-threat-engine", "fingerprint": "993344f77e6dc156917ebf64d9947434e1406c3b02edc10865454ca5a7535e43", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|993344f77e6dc156917ebf64d9947434e1406c3b02edc10865454ca5a7535e43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/spiders/checkpoint.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 54227, "scanner": "repobility-threat-engine", "fingerprint": "48a90fada6896bee716af3699cee9654baf0f2fe6538bacddacc5be323410716", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|48a90fada6896bee716af3699cee9654baf0f2fe6538bacddacc5be323410716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/spiders/checkpoint.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 54226, "scanner": "repobility-threat-engine", "fingerprint": "b6b33480cd52930bcb95b90e416ef4022b20d50bb648a86b14de82ce55ab5b8f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6b33480cd52930bcb95b90e416ef4022b20d50bb648a86b14de82ce55ab5b8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/spiders/checkpoint.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 54223, "scanner": "repobility-threat-engine", "fingerprint": "bbf1e4306f74f746e0f2902b3568b25c4df4ade720e3b388f4068b5adb3624a0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bbf1e4306f74f746e0f2902b3568b25c4df4ade720e3b388f4068b5adb3624a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/engines/toolbelt/proxy_rotation.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CONTAINER_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 54148, "scanner": "repobility-supply-chain", "fingerprint": "eb14d7ee6208399c4cdc62b974435e2534576a446e46c3d421c01f3cd749eada", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb14d7ee6208399c4cdc62b974435e2534576a446e46c3d421c01f3cd749eada"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKER_PASSWORD` on a `pull_request` trigger"}, "properties": {"repobilityId": 54146, "scanner": "repobility-supply-chain", "fingerprint": "e6d787158de5c7ea19f24543a74b76579965e923baa62c71bc88c8fd8989b02a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6d787158de5c7ea19f24543a74b76579965e923baa62c71bc88c8fd8989b02a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKER_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 54143, "scanner": "repobility-supply-chain", "fingerprint": "c0663dc75411e5ce399f912f5b6e79cecd59cfa6f1d5201177500ac0aa545ad3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c0663dc75411e5ce399f912f5b6e79cecd59cfa6f1d5201177500ac0aa545ad3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-build.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "GHA script injection via github.event.pull_request.title in run-step"}, "properties": {"repobilityId": 54127, "scanner": "repobility-supply-chain", "fingerprint": "6e6a48f9ea5613e0a4b4e48b3dabaa5f204cefd916e5ea891a8abc4bf71c0c29", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e6a48f9ea5613e0a4b4e48b3dabaa5f204cefd916e5ea891a8abc4bf71c0c29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-and-publish.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `string` used but not imported"}, "properties": {"repobilityId": 54113, "scanner": "repobility-ast-engine", "fingerprint": "7bd782e508cd8d78ad4cceaa91ff503e4d8f63b33269bb25a8afaa93ede3154e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7bd782e508cd8d78ad4cceaa91ff503e4d8f63b33269bb25a8afaa93ede3154e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scrapling/core/utils/_utils.py"}, "region": {"startLine": 119}}}]}]}]}