{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 15 more): Same pattern found in 15 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.", "shortDescription": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED083] Java Thread Start (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED011", "name": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match.", "shortDescription": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,764 bytes) committed to a repo that otherwise has 526 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `graalvm/setup-graalvm` pinned to mutable ref `@v1`", "shortDescription": {"text": "Action `graalvm/setup-graalvm` pinned to mutable ref `@v1`"}, "fullDescription": {"text": "`uses: graalvm/setup-graalvm@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `eclipse-temurin:21-jre-noble` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `eclipse-temurin:21-jre-noble` not pinned by digest"}, "fullDescription": {"text": "`FROM eclipse-temurin:21-jre-noble` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/562"}, "properties": {"repository": "headlesshq/headlessmc", "repoUrl": "https://github.com/headlesshq/headlessmc", "branch": "main"}, "results": [{"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 37748, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 37747, "scanner": "repobility-docker", "fingerprint": "919b1248097a2e4567da6956c462419e81eba1f85425e17942c7f71a64d0940a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:21-jre-noble", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|919b1248097a2e4567da6956c462419e81eba1f85425e17942c7f71a64d0940a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 37737, "scanner": "repobility-threat-engine", "fingerprint": "b7d80b84bd77ceed1e5655cef57cc08632fbd8a0a24a1d358a10c9daaf4ea4a5", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|35|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/files/PaperModFileReader.java"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 37726, "scanner": "repobility-threat-engine", "fingerprint": "7342711cd8cb57710641f6784daba50d96294ca36997d91802742e4d0f1a4c12", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|43|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-java/src/main/java/io/github/headlesshq/headlessmc/java/download/ArchiveExtractor.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 37718, "scanner": "repobility-threat-engine", "fingerprint": "1a0f1632267bfc69abf86cf29a4bd38f82f006525821613578e7fa083cbc3773", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "log.info(\"Downloading Java \" + request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a0f1632267bfc69abf86cf29a4bd38f82f006525821613578e7fa083cbc3773"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-graalvm/src/main/java/io/github/headlesshq/headlessmc/graalvm/Main.java"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 37712, "scanner": "repobility-threat-engine", "fingerprint": "23b88bae010ad422917c8ea0549a997c825f275834f0d7fb76fe08a4657adc48", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Starting login process \" + threadId + \", enter '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23b88bae010ad422917c8ea0549a997c825f275834f0d7fb76fe08a4657adc48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-auth/src/main/java/io/github/headlesshq/headlessmc/auth/AbstractLoginCommand.java"}, "region": {"startLine": 261}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 37711, "scanner": "repobility-threat-engine", "fingerprint": "dc0ed29b185ef2191177a254edd777b9f94810954c434ac4f0dacb124fbb0d53", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"-Used:  \" + usedMemory + \"mb, (\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc0ed29b185ef2191177a254edd777b9f94810954c434ac4f0dacb124fbb0d53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-api/src/main/java/io/github/headlesshq/headlessmc/api/command/impl/MemoryCommand.java"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 37710, "scanner": "repobility-threat-engine", "fingerprint": "8c2121e0b27ebc2a6efb8d0ca7581c638a9c2ec558466864aac0a07ff41788f2", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Found a HeadlessMcAPI that does not support cl agnostic contexts. \" + apiClass + \" on classloader \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8c2121e0b27ebc2a6efb8d0ca7581c638a9c2ec558466864aac0a07ff41788f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-api/src/main/java/io/github/headlesshq/headlessmc/api/classloading/ApiClassloadingHelper.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 37666, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e4a5d4d8025238e95a1c93a2764a965e63f8ac144865bdd70830892b3ffe51f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/server/downloader/FabricDownloader.java", "duplicate_line": 51, "correlation_key": "fp|6e4a5d4d8025238e95a1c93a2764a965e63f8ac144865bdd70830892b3ffe51f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/server/downloader/ModLauncherCommandDownloader.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 37665, "scanner": "repobility-ai-code-hygiene", "fingerprint": "18729c57ae59a73156b0cf90b0e5605067f572940104bc1b5841a725baf93652", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/server/downloader/FabricDownloader.java", "duplicate_line": 70, "correlation_key": "fp|18729c57ae59a73156b0cf90b0e5605067f572940104bc1b5841a725baf93652"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/server/downloader/ForgeDownloader.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 37745, "scanner": "repobility-threat-engine", "fingerprint": "58faf632963241d9d32a537ef16ab7ff693a5044838683bdeaa2d82340a82f1e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58faf632963241d9d32a537ef16ab7ff693a5044838683bdeaa2d82340a82f1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-scripts/version.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 37744, "scanner": "repobility-threat-engine", "fingerprint": "3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "aggregated_count": 3}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 37736, "scanner": "repobility-threat-engine", "fingerprint": "55dd9a4fe1ed00e875ab40ad2e079768353c2831badd419600f381c596cc9071", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|55dd9a4fe1ed00e875ab40ad2e079768353c2831badd419600f381c596cc9071"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 37732, "scanner": "repobility-threat-engine", "fingerprint": "9b1bb20899b9a602b1241cdeea9cb1612ef115699216341e80b87686889a3c7a", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|95|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/forge/ForgeCommand.java"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 37731, "scanner": "repobility-threat-engine", "fingerprint": "d34552d61f64458081ba7397892281ad5a5c9cfb7f1922b4be173ce44331cf40", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|45|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/FabricCommand.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 37730, "scanner": "repobility-threat-engine", "fingerprint": "33aff5ecc389270add33e1c889e8138688ae82652a1990ffe41fc93c010a826a", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|56|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/AbstractLaunchProcessLifecycle.java"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 37729, "scanner": "repobility-threat-engine", "fingerprint": "4afdd1d66dd904c83762d5bccd7f5d523755a9a725a36ddc191769275ec713cd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4afdd1d66dd904c83762d5bccd7f5d523755a9a725a36ddc191769275ec713cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-lwjgl/src/main/java/io/github/headlesshq/headlessmc/lwjgl/redirections/stb/STBImageRedirection.java"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 37728, "scanner": "repobility-threat-engine", "fingerprint": "e0b7b002deab6452b5757344e5d4a9ad15caa85defa35fb4292e7f0299366954", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0b7b002deab6452b5757344e5d4a9ad15caa85defa35fb4292e7f0299366954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-lwjgl/src/main/java/io/github/headlesshq/headlessmc/lwjgl/redirections/ObjectRedirection.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 37727, "scanner": "repobility-threat-engine", "fingerprint": "ddc745d2846d29df6b6fd1894c1a861211a85a421abfa26f398c71fd4aab17c5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ddc745d2846d29df6b6fd1894c1a861211a85a421abfa26f398c71fd4aab17c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher-wrapper/src/main/java/io/github/headlesshq/headlessmc/wrapper/plugin/TransformingClassloader.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 37725, "scanner": "repobility-threat-engine", "fingerprint": "59350640e184ac9d71ba2d80ef2bf2db7d761efce5f9c4da43214d912846118a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59350640e184ac9d71ba2d80ef2bf2db7d761efce5f9c4da43214d912846118a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/AbstractLaunchProcessLifecycle.java"}, "region": {"startLine": 281}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 37724, "scanner": "repobility-threat-engine", "fingerprint": "e4ee60433811ea5a692a97a4823362755499da73bbc2dac4a8990640e085f475", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4ee60433811ea5a692a97a4823362755499da73bbc2dac4a8990640e085f475"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher-wrapper/src/main/java/io/github/headlesshq/headlessmc/wrapper/ProcessThread.java"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 37723, "scanner": "repobility-threat-engine", "fingerprint": "ef3dfb1b77a9233970ef6037561fb05146e861d36dacf83c799ba8ad0ae2a287", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef3dfb1b77a9233970ef6037561fb05146e861d36dacf83c799ba8ad0ae2a287"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-graalvm/src/main/java/io/github/headlesshq/headlessmc/graalvm/Main.java"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 37722, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 37717, "scanner": "repobility-threat-engine", "fingerprint": "0066a5a790c830c9d4026cba5fc3d3729cdf98a6d3ae99941ce2379789a3ad6f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0066a5a790c830c9d4026cba5fc3d3729cdf98a6d3ae99941ce2379789a3ad6f", "aggregated_count": 1}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 37716, "scanner": "repobility-threat-engine", "fingerprint": "ecc12ff496d1e71d29bf65fc8faae4bf509670e974612660987b892a924e4b1d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ecc12ff496d1e71d29bf65fc8faae4bf509670e974612660987b892a924e4b1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-graalvm/src/main/java/io/github/headlesshq/headlessmc/graalvm/Main.java"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 37715, "scanner": "repobility-threat-engine", "fingerprint": "97a2821a813a8a49a1e4d8a60453201f40675f9e5c102d0856f0ebeca28bf0af", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|97a2821a813a8a49a1e4d8a60453201f40675f9e5c102d0856f0ebeca28bf0af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-auth/src/main/java/io/github/headlesshq/headlessmc/auth/AbstractLoginCommand.java"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 37714, "scanner": "repobility-threat-engine", "fingerprint": "9d8dc14e53bd134992d23648348e80e1b5d452f5d6aaa0abb96cce902d9526b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d8dc14e53bd134992d23648348e80e1b5d452f5d6aaa0abb96cce902d9526b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-api/src/main/java/io/github/headlesshq/headlessmc/api/command/line/CommandLineReader.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 37713, "scanner": "repobility-threat-engine", "fingerprint": "66395a6fcf0f3ecee9316826f6d915a403ea9b1b0d59964772bfe6cba15fe878", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|66395a6fcf0f3ecee9316826f6d915a403ea9b1b0d59964772bfe6cba15fe878"}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 37709, "scanner": "repobility-threat-engine", "fingerprint": "a0d84602a1575bc5cb137ebcd2b9cc7c30dd1f1a6ae0d3277bb4897c16e26055", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0d84602a1575bc5cb137ebcd2b9cc7c30dd1f1a6ae0d3277bb4897c16e26055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/ModuleExtension.groovy"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 37708, "scanner": "repobility-threat-engine", "fingerprint": "01b1dcc913081b25147e68a57d5d3cf131b8a67387756e409318f52b0c7ab39c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01b1dcc913081b25147e68a57d5d3cf131b8a67387756e409318f52b0c7ab39c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/GenerateModuleTask.groovy"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 37707, "scanner": "repobility-threat-engine", "fingerprint": "117b14b30348b3047dc331c9b8205104448286361340c9d5f22324d9a71f6ea5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|117b14b30348b3047dc331c9b8205104448286361340c9d5f22324d9a71f6ea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/Extension2ClassWriterAdapter.groovy"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 37746, "scanner": "repobility-docker", "fingerprint": "3e7b8b0e30af997d5cfddfbfddd5bc79b46a0af3798a7b94e13a2110595a8c8f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3e7b8b0e30af997d5cfddfbfddd5bc79b46a0af3798a7b94e13a2110595a8c8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 37743, "scanner": "repobility-threat-engine", "fingerprint": "7aeaad81f66ca8ed32b2e2b5b3d66216331d1b48cc9ce185df80ed8140152daa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7aeaad81f66ca8ed32b2e2b5b3d66216331d1b48cc9ce185df80ed8140152daa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/version/LibraryImpl.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 37742, "scanner": "repobility-threat-engine", "fingerprint": "7af002eccc540e8a134f4cd97cdcd206ef8893f332627f8b585e92ada57bbcaf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7af002eccc540e8a134f4cd97cdcd206ef8893f332627f8b585e92ada57bbcaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/version/LibraryFactory.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 37741, "scanner": "repobility-threat-engine", "fingerprint": "1a8d65db9d9187663b876b92d17cd66fcc526c0fb55faff0171cb3d73be3aa89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a8d65db9d9187663b876b92d17cd66fcc526c0fb55faff0171cb3d73be3aa89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/modrinth/ModrinthFile.java"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 37735, "scanner": "repobility-threat-engine", "fingerprint": "4eebefe2974d182bdcffbd292c406ad887e6dae3659db2765fd9a7f1325b3e3d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4eebefe2974d182bdcffbd292c406ad887e6dae3659db2765fd9a7f1325b3e3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/forge/ForgeInstaller.java"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 37734, "scanner": "repobility-threat-engine", "fingerprint": "8d3d849ce18a310438cf06dfbcff9435c7890dc463e21d92f3cca566cbab4e79", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d3d849ce18a310438cf06dfbcff9435c7890dc463e21d92f3cca566cbab4e79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/download/VersionInfoUtil.java"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 37733, "scanner": "repobility-threat-engine", "fingerprint": "c6a7c1f9e140af5ad0d704cf8cfd1f54ed344242d35d892b5b091d99b7dce428", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c6a7c1f9e140af5ad0d704cf8cfd1f54ed344242d35d892b5b091d99b7dce428"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/SpecificsCommand.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 37721, "scanner": "repobility-threat-engine", "fingerprint": "cc3cd0d2586464a8cdefa43ceb673f98fb7cc61ba905c1c31a48ff9e68029847", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fileManager.delete(file);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc3cd0d2586464a8cdefa43ceb673f98fb7cc61ba905c1c31a48ff9e68029847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/LauncherBuilder.java"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 37720, "scanner": "repobility-threat-engine", "fingerprint": "18ab5fc404bac4832c21624080f002c47e5559a3bb8cd13f1d7fc917ecbd56e8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Files.delete(downloadPath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18ab5fc404bac4832c21624080f002c47e5559a3bb8cd13f1d7fc917ecbd56e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-java/src/main/java/io/github/headlesshq/headlessmc/java/download/TemurinDownloader.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 37719, "scanner": "repobility-threat-engine", "fingerprint": "1d3337432baee54278d1ad22a01d8a5b412a3b44bff159298ffe0fa933100ba7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "process.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d3337432baee54278d1ad22a01d8a5b412a3b44bff159298ffe0fa933100ba7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-graalvm/src/main/java/io/github/headlesshq/headlessmc/graalvm/Main.java"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 37706, "scanner": "repobility-threat-engine", "fingerprint": "fa1dc04ea107f8b352ed12371ecb9ff8a4ceb5f4c81ac77865d043f61e40fd3b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa1dc04ea107f8b352ed12371ecb9ff8a4ceb5f4c81ac77865d043f61e40fd3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/GenerateModuleTask.groovy"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 37705, "scanner": "repobility-threat-engine", "fingerprint": "b31f2eda190b1ea3585490c178b9fe6152edc7c977174da620c8cb02cd291001", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b31f2eda190b1ea3585490c178b9fe6152edc7c977174da620c8cb02cd291001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/Extension2ClassWriterAdapter.groovy"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 37704, "scanner": "repobility-supply-chain", "fingerprint": "e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `graalvm/setup-graalvm` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 37699, "scanner": "repobility-supply-chain", "fingerprint": "ee85ca83ffad6e7772e751a15a404e194d5d195ee59e94d217281c19571729db", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee85ca83ffad6e7772e751a15a404e194d5d195ee59e94d217281c19571729db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 37698, "scanner": "repobility-supply-chain", "fingerprint": "88a1b9f4e5327c9bdbeaf4b3eddec5d6f5395e7fc1cb5677f39ac4f2adb81a36", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88a1b9f4e5327c9bdbeaf4b3eddec5d6f5395e7fc1cb5677f39ac4f2adb81a36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/deploy-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 37697, "scanner": "repobility-supply-chain", "fingerprint": "64fc8f0247a4e4604443ff0d609dcec7ae7c0caa307b8bef7edbfc567079cf18", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64fc8f0247a4e4604443ff0d609dcec7ae7c0caa307b8bef7edbfc567079cf18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 37696, "scanner": "repobility-supply-chain", "fingerprint": "4d3a019f89ef50d444c5eb0a6c080069e333a5be6d9ccb3c76116e5fd639b31c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d3a019f89ef50d444c5eb0a6c080069e333a5be6d9ccb3c76116e5fd639b31c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-pages-artifact` pinned to mutable ref `@v4.0.0`"}, "properties": {"repobilityId": 37695, "scanner": "repobility-supply-chain", "fingerprint": "247feb8be4322dc2ae16933083facd4a78efdc73d1f40dab4af55aa95ef57cb3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|247feb8be4322dc2ae16933083facd4a78efdc73d1f40dab4af55aa95ef57cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 37694, "scanner": "repobility-supply-chain", "fingerprint": "40cd06ed5cccb8ba5bce9181762c57f3dc61de22a71feb17f70681fbe180b3cb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40cd06ed5cccb8ba5bce9181762c57f3dc61de22a71feb17f70681fbe180b3cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 37693, "scanner": "repobility-supply-chain", "fingerprint": "b88351aea32696783fef21a05c8b032927f6e35a484bcfbb399dac86ae95ce16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b88351aea32696783fef21a05c8b032927f6e35a484bcfbb399dac86ae95ce16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 37692, "scanner": "repobility-supply-chain", "fingerprint": "404220f07e3f5e53fea0723221767ec46e886655d3becfbe15e8a40e12ba4b1f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|404220f07e3f5e53fea0723221767ec46e886655d3becfbe15e8a40e12ba4b1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `madrapps/jacoco-report` pinned to mutable ref `@v1.7.2`"}, "properties": {"repobilityId": 37691, "scanner": "repobility-supply-chain", "fingerprint": "520a533bd3d7a006370547a1f221d3122a5cb293f7fc02a17a04d8c952ed94e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|520a533bd3d7a006370547a1f221d3122a5cb293f7fc02a17a04d8c952ed94e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 37690, "scanner": "repobility-supply-chain", "fingerprint": "52528e407e42df796d5bca5cd90e2fa465c714fec01d524bb8dd4358d56110d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52528e407e42df796d5bca5cd90e2fa465c714fec01d524bb8dd4358d56110d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 37689, "scanner": "repobility-supply-chain", "fingerprint": "39d03008881d75e880befa91a3c5c4f22276f331acd75390f5d12e7386e6363d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39d03008881d75e880befa91a3c5c4f22276f331acd75390f5d12e7386e6363d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 37688, "scanner": "repobility-supply-chain", "fingerprint": "cb81effd28cf0b9590086603a54dc22d33f9c05bdeda54ea5ce915910ce38b11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb81effd28cf0b9590086603a54dc22d33f9c05bdeda54ea5ce915910ce38b11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 37687, "scanner": "repobility-supply-chain", "fingerprint": "888f1043d7b626a930170b524dae96e4ba5bd37e2e346e2a3e17fe75c36067f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|888f1043d7b626a930170b524dae96e4ba5bd37e2e346e2a3e17fe75c36067f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 37686, "scanner": "repobility-supply-chain", "fingerprint": "1ec59df6b015ee4e8d80752f5f130118ab30ded8bb82e449d8ecd2413f9c9ce9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ec59df6b015ee4e8d80752f5f130118ab30ded8bb82e449d8ecd2413f9c9ce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 37685, "scanner": "repobility-supply-chain", "fingerprint": "e822957b681ae73efcf0ed6b2d008b25088d728e44a232ec28372c596476c958", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e822957b681ae73efcf0ed6b2d008b25088d728e44a232ec28372c596476c958"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-runtime-test.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/setup-gradle` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 37684, "scanner": "repobility-supply-chain", "fingerprint": "509db747d457841d259db2c2329beeec32250a5c780e42fd289d37150fc36fa8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|509db747d457841d259db2c2329beeec32250a5c780e42fd289d37150fc36fa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-runtime-test.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 37683, "scanner": "repobility-supply-chain", "fingerprint": "66667a354151c57aa4a9d31d24f4cae31afb583963a7b6f7a1118e23914a861c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66667a354151c57aa4a9d31d24f4cae31afb583963a7b6f7a1118e23914a861c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-runtime-test.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 37682, "scanner": "repobility-supply-chain", "fingerprint": "a6c092a6d4211719aae93911c24bdee6e81fb1789661a17e20d71710d7d9d020", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6c092a6d4211719aae93911c24bdee6e81fb1789661a17e20d71710d7d9d020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-runtime-test.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 37681, "scanner": "repobility-supply-chain", "fingerprint": "db03dfa8e8d9173cc6c5a6deab64687bbaeff3b071c6dbbcd60abb714d4dd68f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db03dfa8e8d9173cc6c5a6deab64687bbaeff3b071c6dbbcd60abb714d4dd68f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-runtime-test.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `headlesshq/mc-runtime-test` pinned to mutable ref `@4.1.0`"}, "properties": {"repobilityId": 37680, "scanner": "repobility-supply-chain", "fingerprint": "e9e2c08005d98d682f5cca2dcfa1dda232fc6f017df65b753bd51d5eb940a02c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9e2c08005d98d682f5cca2dcfa1dda232fc6f017df65b753bd51d5eb940a02c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-matrix-in-memory.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 37679, "scanner": "repobility-supply-chain", "fingerprint": "115fa3f9cbfa4fd9c686271c798d9e8952efaf7df786d0e0171507c667a9a0a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|115fa3f9cbfa4fd9c686271c798d9e8952efaf7df786d0e0171507c667a9a0a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-matrix-in-memory.yml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 37678, "scanner": "repobility-supply-chain", "fingerprint": "914c2c68ea2750db788706c3543e097e8a42fdc27b2cf8f64d8fc9c04c36263e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|914c2c68ea2750db788706c3543e097e8a42fdc27b2cf8f64d8fc9c04c36263e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-matrix-in-memory.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 37677, "scanner": "repobility-supply-chain", "fingerprint": "9db0da3ca9d5ae018a86f4a3e0c3e927d1bf3ada5b39f668ea6ec52af6572639", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9db0da3ca9d5ae018a86f4a3e0c3e927d1bf3ada5b39f668ea6ec52af6572639"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-matrix-in-memory.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 37676, "scanner": "repobility-supply-chain", "fingerprint": "094b57cd8702fb72d21763fc2f1d126b8d556f4b1286ce438e8b78c78ec48eb0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|094b57cd8702fb72d21763fc2f1d126b8d556f4b1286ce438e8b78c78ec48eb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-matrix-in-memory.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 37675, "scanner": "repobility-supply-chain", "fingerprint": "30d4a45818941b8dcb37fbb1dfcccc86e235dd9fb66ef768a4aec90a97a7e462", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|30d4a45818941b8dcb37fbb1dfcccc86e235dd9fb66ef768a4aec90a97a7e462"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-matrix-in-memory.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:21-jre-noble` not pinned by digest"}, "properties": {"repobilityId": 37674, "scanner": "repobility-supply-chain", "fingerprint": "44bb452aa6201bd865ef607747f00444665ba28f0a8b8d6bfb15c52277d13466", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44bb452aa6201bd865ef607747f00444665ba28f0a8b8d6bfb15c52277d13466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Fast.Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:17-jre-noble` not pinned by digest"}, "properties": {"repobilityId": 37673, "scanner": "repobility-supply-chain", "fingerprint": "2c17ad1441651377f981c50fe2b64775a7d129c9e15dfe3c5ed02fecc0e65aa7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c17ad1441651377f981c50fe2b64775a7d129c9e15dfe3c5ed02fecc0e65aa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Fast.Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:8-jre-noble` not pinned by digest"}, "properties": {"repobilityId": 37672, "scanner": "repobility-supply-chain", "fingerprint": "4a33692303662ed9ea4c5039d820ec9791054f55739e9ecdd5f1a51ff8ca2532", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a33692303662ed9ea4c5039d820ec9791054f55739e9ecdd5f1a51ff8ca2532"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Fast.Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:21-jdk-noble` not pinned by digest"}, "properties": {"repobilityId": 37671, "scanner": "repobility-supply-chain", "fingerprint": "ee7fb7cadaa849a7ced699636895837ddec4c6f44694290f86d99d4c81ba356a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee7fb7cadaa849a7ced699636895837ddec4c6f44694290f86d99d4c81ba356a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Fast.Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:21-jre-noble` not pinned by digest"}, "properties": {"repobilityId": 37670, "scanner": "repobility-supply-chain", "fingerprint": "34326423c0a78db08c0ee0bf5be9e2bdc4c977cd4e3b2dec19834cfc3c2ab421", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34326423c0a78db08c0ee0bf5be9e2bdc4c977cd4e3b2dec19834cfc3c2ab421"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:17-jre-noble` not pinned by digest"}, "properties": {"repobilityId": 37669, "scanner": "repobility-supply-chain", "fingerprint": "1a94c710177f9e57e6b5cf2da4bf449b2799a8f57ce58290621e5d77b1155451", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a94c710177f9e57e6b5cf2da4bf449b2799a8f57ce58290621e5d77b1155451"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:8-jre-noble` not pinned by digest"}, "properties": {"repobilityId": 37668, "scanner": "repobility-supply-chain", "fingerprint": "adf045a7bff8eeb08319733e323f046c4f4a548e6569572b52f3536f2cc6c72c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|adf045a7bff8eeb08319733e323f046c4f4a548e6569572b52f3536f2cc6c72c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:21-jdk-noble` not pinned by digest"}, "properties": {"repobilityId": 37667, "scanner": "repobility-supply-chain", "fingerprint": "5250bd11e5b8ca2b9521be14332149fc884dfbabbb6005bac493dff2c46be4e3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5250bd11e5b8ca2b9521be14332149fc884dfbabbb6005bac493dff2c46be4e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 37740, "scanner": "repobility-threat-engine", "fingerprint": "e941acb7135435ced75aa73eb219ef4e5a917d70a6cc0c979abd88b533834a5f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e941acb7135435ced75aa73eb219ef4e5a917d70a6cc0c979abd88b533834a5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/files/PaperModFileReader.java"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 37739, "scanner": "repobility-threat-engine", "fingerprint": "8db5f8c1f2ec444d025ff31f2b7083225e0a294c3e4e1c042c1b341e1ab3314c", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|35|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/files/PaperModFileReader.java"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 37738, "scanner": "repobility-threat-engine", "fingerprint": "0c2d23fcc29671fe482fd61177115866d520490b94f5740bb15a3e330b85e57f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(is)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0c2d23fcc29671fe482fd61177115866d520490b94f5740bb15a3e330b85e57f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/files/PaperModFileReader.java"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 37703, "scanner": "repobility-supply-chain", "fingerprint": "8507feab2faedd5a2b3e86318341000b75868c5a85008479a70b5936e8a2e912", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8507feab2faedd5a2b3e86318341000b75868c5a85008479a70b5936e8a2e912"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 747}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 37702, "scanner": "repobility-supply-chain", "fingerprint": "7f1faf075018722761f07a6ad5f006254ea83c9e6c6ca4c252c61119d0f0a578", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7f1faf075018722761f07a6ad5f006254ea83c9e6c6ca4c252c61119d0f0a578"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 746}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 37701, "scanner": "repobility-supply-chain", "fingerprint": "7b6860aa0c1db23787436e8240c5e9a11eab9140a4a9c8378e0d356d2a97792b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b6860aa0c1db23787436e8240c5e9a11eab9140a4a9c8378e0d356d2a97792b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 684}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 37700, "scanner": "repobility-supply-chain", "fingerprint": "b8dd3a25fbb96cfe035ff3168db9be2fceb3012abf0ce2f846f29559cb4b6730", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8dd3a25fbb96cfe035ff3168db9be2fceb3012abf0ce2f846f29559cb4b6730"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lifecycle.yml"}, "region": {"startLine": 683}}}]}]}]}