{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC025", "name": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader (and 2 more): Same pattern found in 2 additional f", "shortDescription": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Set XmlResolver = null on XmlDocument before Load. On XmlReader, pass XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null }. Prefer XDocument / XElement which don't expand external entities by default."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.JF_BOT_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/938"}, "properties": {"repository": "jellyfin/jellyfin", "repoUrl": "https://github.com/jellyfin/jellyfin", "branch": "master"}, "results": [{"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 88098, "scanner": "repobility-threat-engine", "fingerprint": "93871f5339d434b35ebee268e250887bc779749b111508afc102878614f87d25", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "App.UseDeveloperExceptionPage()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|93871f5339d434b35ebee268e250887bc779749b111508afc102878614f87d25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Server/Startup.cs"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 88072, "scanner": "repobility-threat-engine", "fingerprint": "fbb3d6a06bb53fb0caa6935c2893bbb1d6c643c8441cc1b42e3aa5c9f8bf8871", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n                    catch (DirectoryNotFoundException)\n                    {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fbb3d6a06bb53fb0caa6935c2893bbb1d6c643c8441cc1b42e3aa5c9f8bf8871"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MediaBrowser.Controller/Providers/DirectoryService.cs"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 88071, "scanner": "repobility-threat-engine", "fingerprint": "b08326d1787da3a2a60c7fef4691075d815f1e3e85169bd80f388c3b3f55f46a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n        catch (ArgumentException)\n        {\n            return null;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b08326d1787da3a2a60c7fef4691075d815f1e3e85169bd80f388c3b3f55f46a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Library/DotIgnoreIgnoreRule.cs"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 88070, "scanner": "repobility-threat-engine", "fingerprint": "f9258f696d56af07bea9135385714c019627f874c38c967da7f243d31d6181f3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n        catch (IOException)\n        {\n            return [];\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f9258f696d56af07bea9135385714c019627f874c38c967da7f243d31d6181f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Chapters/ChapterManager.cs"}, "region": {"startLine": 282}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 88102, "scanner": "repobility-threat-engine", "fingerprint": "9660cac05331eadf9e2d8f903c9277e3ea718c73f91858455ffe756214b940e4", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/LiveTv/LiveStreamFiles/\" + UniqueId + \"/stream.ts\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9660cac05331eadf9e2d8f903c9277e3ea718c73f91858455ffe756214b940e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Jellyfin.LiveTv/TunerHosts/SharedHttpStream.cs"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 88101, "scanner": "repobility-threat-engine", "fingerprint": "2be71a5159fcbc105558fcb7c99be8c4aa84d8d63edc46da6edc86a2d7db124a", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/LiveTv/LiveStreamFiles/\" + UniqueId + \"/stream.ts\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2be71a5159fcbc105558fcb7c99be8c4aa84d8d63edc46da6edc86a2d7db124a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Jellyfin.LiveTv/TunerHosts/HdHomerun/HdHomerunUdpStream.cs"}, "region": {"startLine": 150}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88058, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c58abf80c6227e97f2ebf9aec69eb38c2ab024d739c0f63dfe9323948d1930b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Server.Implementations/Events/Consumers/Session/PlaybackStartLogger.cs", "duplicate_line": 51, "correlation_key": "fp|6c58abf80c6227e97f2ebf9aec69eb38c2ab024d739c0f63dfe9323948d1930b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Server.Implementations/Events/Consumers/Session/PlaybackStopLogger.cs"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88057, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edf97f2efbe607c92212a43c39aefa664e7b8341e45ef89233d0b81ab9a17a2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Server.Implementations/Events/Consumers/Library/LyricDownloadFailureLogger.cs", "duplicate_line": 31, "correlation_key": "fp|edf97f2efbe607c92212a43c39aefa664e7b8341e45ef89233d0b81ab9a17a2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Server.Implementations/Events/Consumers/Library/SubtitleDownloadFailureLogger.cs"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88056, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa7de735822091fcef05f9983c7e9aee96429eab4355560a110f3a47ad0c4619", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Api/ModelBinders/CommaDelimitedCollectionModelBinder.cs", "duplicate_line": 12, "correlation_key": "fp|fa7de735822091fcef05f9983c7e9aee96429eab4355560a110f3a47ad0c4619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/ModelBinders/PipeDelimitedCollectionModelBinder.cs"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88055, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d413df7ebbd781291c108c7ee899a8bcc325cda58b0842718227d52f13b9c61", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Api/Helpers/AudioHelper.cs", "duplicate_line": 59, "correlation_key": "fp|1d413df7ebbd781291c108c7ee899a8bcc325cda58b0842718227d52f13b9c61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/Helpers/DynamicHlsHelper.cs"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88054, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c30eba477c2d82de79d7965a65d34663b456593c7ebb5e2f00f644e99aa9eb86", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Api/Controllers/AudioController.cs", "duplicate_line": 27, "correlation_key": "fp|c30eba477c2d82de79d7965a65d34663b456593c7ebb5e2f00f644e99aa9eb86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/Controllers/VideosController.cs"}, "region": {"startLine": 197}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88053, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d06a5c6362239c3617a81bae29c557b7b3c829b8478c45738749ecb12e021c29", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Api/Controllers/LibraryController.cs", "duplicate_line": 114, "correlation_key": "fp|d06a5c6362239c3617a81bae29c557b7b3c829b8478c45738749ecb12e021c29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/Controllers/VideosController.cs"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88052, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec7732f1ed61be964c08b2927a5af18cd6ceeaf5a43d1ab2cbd3652d944923c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Api/Controllers/ItemsController.cs", "duplicate_line": 420, "correlation_key": "fp|ec7732f1ed61be964c08b2927a5af18cd6ceeaf5a43d1ab2cbd3652d944923c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/Controllers/TrailersController.cs"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88051, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23667e47260fe0b9b7e25dc01577c5cc65e6456d231f0a337e7f5d33e5ecefa5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Api/Controllers/GenresController.cs", "duplicate_line": 63, "correlation_key": "fp|23667e47260fe0b9b7e25dc01577c5cc65e6456d231f0a337e7f5d33e5ecefa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/Controllers/StudiosController.cs"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88050, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0efb288fd75cf52ef9370e5e067cb52f46a38a88ee4ba087ca18a8f07f5850c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Api/Controllers/ArtistsController.cs", "duplicate_line": 105, "correlation_key": "fp|0efb288fd75cf52ef9370e5e067cb52f46a38a88ee4ba087ca18a8f07f5850c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/Controllers/MusicGenresController.cs"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88049, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c257feef13d8f119edcf38c180b7151f10fc8143c305eafc8b5bb28861034c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Api/Controllers/GenresController.cs", "duplicate_line": 41, "correlation_key": "fp|0c257feef13d8f119edcf38c180b7151f10fc8143c305eafc8b5bb28861034c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/Controllers/MusicGenresController.cs"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88048, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e52cda5df428a3a6cd92f0e875c46bccf9236aae8b8d3167cb0d2ce2dcf46a07", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Jellyfin.Api/Controllers/ArtistsController.cs", "duplicate_line": 105, "correlation_key": "fp|e52cda5df428a3a6cd92f0e875c46bccf9236aae8b8d3167cb0d2ce2dcf46a07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/Controllers/GenresController.cs"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88047, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbd5fe69605794fb9f9214bd831b91b710be40410bd8191dd81c03e986bac897", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteTranscodeFileTask.cs", "duplicate_line": 34, "correlation_key": "fp|fbd5fe69605794fb9f9214bd831b91b710be40410bd8191dd81c03e986bac897"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/ScheduledTasks/Tasks/PluginUpdateTask.cs"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88046, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14ba05e72a076a9c9ce99978cc1bb57ad54e447b18f483cba35f69f8c4c6d5a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteCacheFileTask.cs", "duplicate_line": 68, "correlation_key": "fp|14ba05e72a076a9c9ce99978cc1bb57ad54e447b18f483cba35f69f8c4c6d5a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteTranscodeFileTask.cs"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88045, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bcd423d5047728e1eab6e8e566eb6221cdc50822f54731f0494cd6b208033e76", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteCacheFileTask.cs", "duplicate_line": 35, "correlation_key": "fp|bcd423d5047728e1eab6e8e566eb6221cdc50822f54731f0494cd6b208033e76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteLogFileTask.cs"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88044, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6731071f4c447bee1dd756fed977922fbe8fea8b49de910b2f13843751ee955f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Emby.Server.Implementations/Library/Validators/GenresValidator.cs", "duplicate_line": 55, "correlation_key": "fp|6731071f4c447bee1dd756fed977922fbe8fea8b49de910b2f13843751ee955f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Library/Validators/MusicGenresValidator.cs"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88043, "scanner": "repobility-ai-code-hygiene", "fingerprint": "356a459a626e31099a748a7d6f2f678897e10f1b04f4ec62e6c1b7964aa0d379", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Emby.Server.Implementations/Library/LiveStreamHelper.cs", "duplicate_line": 89, "correlation_key": "fp|356a459a626e31099a748a7d6f2f678897e10f1b04f4ec62e6c1b7964aa0d379"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Library/MediaSourceManager.cs"}, "region": {"startLine": 628}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 88100, "scanner": "repobility-threat-engine", "fingerprint": "80514bb6cd312c417d2c7c133331fd82bcc61e3472ff525557f656a5d3ddb407", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|80514bb6cd312c417d2c7c133331fd82bcc61e3472ff525557f656a5d3ddb407"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MediaBrowser.XbmcMetadata/Savers/SeriesNfoSaver.cs"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 88099, "scanner": "repobility-threat-engine", "fingerprint": "56420b00cfad49c1d27bd1630109d2e7c0aa1b9d8ff0c019890be0869c850786", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56420b00cfad49c1d27bd1630109d2e7c0aa1b9d8ff0c019890be0869c850786"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MediaBrowser.Providers/TV/Zap2ItExternalUrlProvider.cs"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 88095, "scanner": "repobility-threat-engine", "fingerprint": "d57f94c2e96069b4a87a7fb2ba46f76103ae7ecd579ffae7064a6551df416baa", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d57f94c2e96069b4a87a7fb2ba46f76103ae7ecd579ffae7064a6551df416baa"}}}, {"ruleId": "SEC025", "level": "none", "message": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 88091, "scanner": "repobility-threat-engine", "fingerprint": "38926d6b6cfc66087ea1eb132a86cd1e7afed6536d0de46c201b22263cdcf7e5", "category": "xxe", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC025", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|38926d6b6cfc66087ea1eb132a86cd1e7afed6536d0de46c201b22263cdcf7e5"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 88087, "scanner": "repobility-threat-engine", "fingerprint": "47e1cff322a9aa3e3afc579504a170593e62730645109b7efa83425dedf8f3d7", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Cryptographic handling (password hashing, not hardcoded)", "evidence": {"match": "logger.LogInformation(\"Migrating password hash of {User} to the latest default\", username)", "reason": "Cryptographic handling (password hashing, not hardcoded)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|8|logger.loginformation migrating password hash of user to the latest default username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 88086, "scanner": "repobility-threat-engine", "fingerprint": "c3b6558f8980284426692a01fc7c890cee265671a33b167fe1f296fbe7f9875e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "logger.LogDebug(\"Removing expired secret {Secret}\", secret)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|22|logger.logdebug removing expired secret secret secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/QuickConnect/QuickConnectManager.cs"}, "region": {"startLine": 222}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 88085, "scanner": "repobility-threat-engine", "fingerprint": "f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 88081, "scanner": "repobility-threat-engine", "fingerprint": "3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "aggregated_count": 3}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 88077, "scanner": "repobility-threat-engine", "fingerprint": "71af304deb79f11bf47a52bc438c40bc91538148803a4f9a07dffd45e99cfe31", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|71af304deb79f11bf47a52bc438c40bc91538148803a4f9a07dffd45e99cfe31", "aggregated_count": 18}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 88076, "scanner": "repobility-threat-engine", "fingerprint": "16997a6cb3cc25241a217b6cde3777209e71cf78b45278988f6d289ece77ad2b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|16997a6cb3cc25241a217b6cde3777209e71cf78b45278988f6d289ece77ad2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/IO/FileRefresher.cs"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 88075, "scanner": "repobility-threat-engine", "fingerprint": "557bdfea8a24e0369e8f07624e240bf9d469e8a7335b151587c703dee43908bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|557bdfea8a24e0369e8f07624e240bf9d469e8a7335b151587c703dee43908bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Data/CleanDatabaseScheduledTask.cs"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 88074, "scanner": "repobility-threat-engine", "fingerprint": "54ce068c4cda2eb468da74854b850f4a8f14d5da9cd11c2f260815a57299a73e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54ce068c4cda2eb468da74854b850f4a8f14d5da9cd11c2f260815a57299a73e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Collections/CollectionImageProvider.cs"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 88073, "scanner": "repobility-threat-engine", "fingerprint": "8e478e56b730255b619eaaf214c2ac68864bd09b58591d59c20fe11bd4508abd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8e478e56b730255b619eaaf214c2ac68864bd09b58591d59c20fe11bd4508abd"}}}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88094, "scanner": "repobility-threat-engine", "fingerprint": "7eb10eec0ddf02a18480572702ab3c6ef684a501abb405fc18698f7b4e2adf36", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(H", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7eb10eec0ddf02a18480572702ab3c6ef684a501abb405fc18698f7b4e2adf36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MediaBrowser.Controller/IServerApplicationHost.cs"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88093, "scanner": "repobility-threat-engine", "fingerprint": "d82b54fe16e8955de86b0f6db6892ff62896a89d44e359a40226b647b7836528", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d82b54fe16e8955de86b0f6db6892ff62896a89d44e359a40226b647b7836528"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MediaBrowser.Controller/Entities/Extensions.cs"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88092, "scanner": "repobility-threat-engine", "fingerprint": "70790767afe6153ff67ab8bb1cfaee2541999109e63cb6363feae5a3ae00a6ef", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70790767afe6153ff67ab8bb1cfaee2541999109e63cb6363feae5a3ae00a6ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/SystemManager.cs"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC025", "level": "error", "message": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure and SSRF via XXE."}, "properties": {"repobilityId": 88090, "scanner": "repobility-threat-engine", "fingerprint": "a63218724c5e81596fff2114395a2dfe1169cb1e9995f695bc3c33a2e29fe314", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new XmlDocument()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC025", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a63218724c5e81596fff2114395a2dfe1169cb1e9995f695bc3c33a2e29fe314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MediaBrowser.Providers/Books/OpenPackagingFormat/EpubProvider.cs"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC025", "level": "error", "message": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure and SSRF via XXE."}, "properties": {"repobilityId": 88089, "scanner": "repobility-threat-engine", "fingerprint": "303c33a2b1e910c2ad0a3a6c57ae3a323436d6d2eb49d692edd11b8d93ebf040", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new XmlDocument()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC025", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|303c33a2b1e910c2ad0a3a6c57ae3a323436d6d2eb49d692edd11b8d93ebf040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MediaBrowser.Providers/Books/OpenPackagingFormat/EpubImageProvider.cs"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC025", "level": "error", "message": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure and SSRF via XXE."}, "properties": {"repobilityId": 88088, "scanner": "repobility-threat-engine", "fingerprint": "11ddd8a44454d164354f06f0ded3e793d784bbbb6afc8b9a06713ea167564986", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "XmlReader.Create(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC025", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|11ddd8a44454d164354f06f0ded3e793d784bbbb6afc8b9a06713ea167564986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Serialization/MyXmlSerializer.cs"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88084, "scanner": "repobility-threat-engine", "fingerprint": "888287d058bd251f551de05abbea22133846de310f07be72572d3c87101030ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "File.Delete(tempFile);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|888287d058bd251f551de05abbea22133846de310f07be72572d3c87101030ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/ScheduledTasks/Tasks/AudioNormalizationTask.cs"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88083, "scanner": "repobility-threat-engine", "fingerprint": "0b8713b7ca20f4bbf8c7d04e74e55ca069ad2ecfaac3a77b087aa83b07532011", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Directory.Delete(path, true);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b8713b7ca20f4bbf8c7d04e74e55ca069ad2ecfaac3a77b087aa83b07532011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Library/ExternalDataManager.cs"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88082, "scanner": "repobility-threat-engine", "fingerprint": "920aa59c74a025dcc4bb53dfc2a15fa8751caf52939bf5e55dfe3814d98dd0cc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Directory.Delete(folder, true);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|920aa59c74a025dcc4bb53dfc2a15fa8751caf52939bf5e55dfe3814d98dd0cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Data/CleanDatabaseScheduledTask.cs"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 88080, "scanner": "repobility-threat-engine", "fingerprint": "fa38a5aef7cc749453c121b550beeba934a6b84cb9af41ea8af450267c74324d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa38a5aef7cc749453c121b550beeba934a6b84cb9af41ea8af450267c74324d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Jellyfin.LiveTv/Listings/SchedulesDirectDtos/LogoDto.cs"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 88079, "scanner": "repobility-threat-engine", "fingerprint": "db96f78d849cebeae70f23ccaaf1bdaeea18fdf4a053c949238d6a9269a6ca9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|db96f78d849cebeae70f23ccaaf1bdaeea18fdf4a053c949238d6a9269a6ca9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MediaBrowser.Common/Extensions/BaseExtensions.cs"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 88078, "scanner": "repobility-threat-engine", "fingerprint": "fdfbb3bfa1130fb708a961fa66bd2fe2d7543a8de36f3eaefc4be47b0678d46a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fdfbb3bfa1130fb708a961fa66bd2fe2d7543a8de36f3eaefc4be47b0678d46a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Emby.Server.Implementations/Cryptography/CryptographyProvider.cs"}, "region": {"startLine": 48}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 88097, "scanner": "gitleaks", "fingerprint": "a1c3a45ca6432ae4a62810bee76d3829eb7346cbf5c610d9bb5604603c80ad65", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "ApiKey = \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|2|apikey redacted", "duplicate_count": 1, "duplicate_rule_ids": ["SEC002", "generic-api-key"], "duplicate_scanners": ["gitleaks", "repobility-threat-engine"], "duplicate_fingerprints": ["5673d36555cf171c076c37af4bf5c5e405090f391c75f32e5bd866cb6c4808a9", "a1c3a45ca6432ae4a62810bee76d3829eb7346cbf5c610d9bb5604603c80ad65"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MediaBrowser.Providers/Plugins/Tmdb/TmdbUtils.cs"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC002", "level": "error", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 88096, "scanner": "repobility-threat-engine", "fingerprint": "3a7d63d6ae8971c870c8d15e0d3978b3a3a8658d2e6b012b174b9ef78f2470b6", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (3.6 bits) \u2014 likely real secret", "evidence": {"match": "ApiKey = \"<redacted>\"", "reason": "High entropy value (3.6 bits) \u2014 likely real secret", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|4|apikey redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Jellyfin.Api/Constants/InternalClaimTypes.cs"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88069, "scanner": "repobility-supply-chain", "fingerprint": "54b7aef47ed8419cd6276d0cba30fad89bd0720a68648491a3d3bb3263e346ed", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54b7aef47ed8419cd6276d0cba30fad89bd0720a68648491a3d3bb3263e346ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/commands.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88068, "scanner": "repobility-supply-chain", "fingerprint": "a916da63d0575201895d50073a29c48b888a95de0970e43e3eb87cd5cb25e9d5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a916da63d0575201895d50073a29c48b888a95de0970e43e3eb87cd5cb25e9d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/commands.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88067, "scanner": "repobility-supply-chain", "fingerprint": "f1493b4f3f3365cc21c852b5cd70cd62b886ff2a19185a6d8359004d375e65cd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1493b4f3f3365cc21c852b5cd70cd62b886ff2a19185a6d8359004d375e65cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/commands.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88066, "scanner": "repobility-supply-chain", "fingerprint": "15e004f825170a2bc2b3bffd4f8a899acf9ff77f4419a4be3d7053aaadceeba6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15e004f825170a2bc2b3bffd4f8a899acf9ff77f4419a4be3d7053aaadceeba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/commands.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88065, "scanner": "repobility-supply-chain", "fingerprint": "c1d30e3ffc99430070301038e7f823fb1b8ae3287e9f5aab1a9054eb9480f821", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1d30e3ffc99430070301038e7f823fb1b8ae3287e9f5aab1a9054eb9480f821"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/project-automation.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88064, "scanner": "repobility-supply-chain", "fingerprint": "436565ea0f9544f679129544bb7e9bad8f6409fa68b91ef5a1944b8d00b25c48", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|436565ea0f9544f679129544bb7e9bad8f6409fa68b91ef5a1944b8d00b25c48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/project-automation.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88063, "scanner": "repobility-supply-chain", "fingerprint": "296cd96d905335eefdb9672aea6db487bee61398e4cb095505b5b3b768c0f5b1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|296cd96d905335eefdb9672aea6db487bee61398e4cb095505b5b3b768c0f5b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/project-automation.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88062, "scanner": "repobility-supply-chain", "fingerprint": "9c61789006fd0aba5c09fd003d8e5f95fc336f94ce69450408d8afce741422bb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c61789006fd0aba5c09fd003d8e5f95fc336f94ce69450408d8afce741422bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/project-automation.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88061, "scanner": "repobility-supply-chain", "fingerprint": "41aa01f91c61b3a382b3204fa7fe00794c81eccf3aa5846fa39254adb7dd0a06", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41aa01f91c61b3a382b3204fa7fe00794c81eccf3aa5846fa39254adb7dd0a06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/project-automation.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88060, "scanner": "repobility-supply-chain", "fingerprint": "66a9df1390997a4e2ff040aa6bd587403f0200d9e7e78592606658c766f2ad71", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66a9df1390997a4e2ff040aa6bd587403f0200d9e7e78592606658c766f2ad71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-compat.yml"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JF_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 88059, "scanner": "repobility-supply-chain", "fingerprint": "18b2b18a3a5e661a05fc295c9fe6b13f1def2bcced3f21cc38f02fca4585a0fa", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18b2b18a3a5e661a05fc295c9fe6b13f1def2bcced3f21cc38f02fca4585a0fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-compat.yml"}, "region": {"startLine": 132}}}]}]}]}