{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DEPCUR-NPM", "name": "npm package `dotenv` is minor version(s) behind (17.2.3 -> 17.4.2)", "shortDescription": {"text": "npm package `dotenv` is minor version(s) behind (17.2.3 -> 17.4.2)"}, "fullDescription": {"text": "`dotenv` is pinned/resolved at 17.2.3 but the latest stable release on the npm registry is 17.4.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "package.json dep `framework-stars` pulled from URL/Git", "shortDescription": {"text": "package.json dep `framework-stars` pulled from URL/Git"}, "fullDescription": {"text": "`dependencies.framework-stars` = `github:vanodevium/framework-stars#main` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1248"}, "properties": {"repository": "vanodevium/node-framework-stars", "repoUrl": "https://github.com/vanodevium/node-framework-stars", "branch": "main"}, "results": [{"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `dotenv` is minor version(s) behind (17.2.3 -> 17.4.2)"}, "properties": {"repobilityId": 126001, "scanner": "repobility-dependency-currency", "fingerprint": "7d0a6edf3bc4266f7204b7de7e254c27bb3062fe732aff34b6d85e61a31f7e6b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.4.2", "correlation_key": "fp|7d0a6edf3bc4266f7204b7de7e254c27bb3062fe732aff34b6d85e61a31f7e6b", "current_version": "17.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 125998, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 125997, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 126000, "scanner": "repobility-supply-chain", "fingerprint": "2b550296e8dcaab1c888c44d9a4b806a1f2a194d50f1231e5e5fb11b707b5e98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b550296e8dcaab1c888c44d9a4b806a1f2a194d50f1231e5e5fb11b707b5e98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cron.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `framework-stars` pulled from URL/Git"}, "properties": {"repobilityId": 125999, "scanner": "repobility-supply-chain", "fingerprint": "5a0f94a4a200609147da721c14871d51ebb3886eba0f326d626b623cbca8106f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a0f94a4a200609147da721c14871d51ebb3886eba0f326d626b623cbca8106f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}]}]}